W3C home > Mailing lists > Public > www-html@w3.org > April 2003

Re: File Selection with HTML

From: Joris Huizer <joris_huizer@yahoo.com>
Date: Tue, 29 Apr 2003 00:43:09 -0700 (PDT)
Message-ID: <20030429074309.67414.qmail@web20204.mail.yahoo.com>
To: Kevin Hanna <kevin@hanna.net>
Cc: "'www-html@w3.org'" <www-html@w3.org>

Hello Kevin,

As far as I know, there are encryption methods of
which no decryption is known ("easy" encryption but
impossible decryption) - and this type of encryption
is (? should be ?) used by all operating systems. 

Unfortunately, in some OS's (at least, on many Windows
versions) there's little difference between a standard
user and the administrator - are you seriously
suggesting all secret info of companies at the
internet is at risc as any cracker good break in
within a few days ??

Anyway, maybe some old OS's are badly secured - but
they are insecure anyway - not only when a html page
could send their info 

--- Kevin Hanna <kevin@hanna.net> wrote:
> 
> Joris,
> 
> That savety is FAR from ridiculous.  If a cracker
> where to get their 
> grubby hands on your encrypted passwords.  It could
> easily take less 
> than a minute to crack them using a dictionary
> attack.  If the 
> dictionary attack didn't work it could still take
> less than a day and 
> likely not more than 2 days.
> 
> Operating systems have a default location for
> storing the passwords (and 
> other relevant information).  Browsers tell the web
> server which 
> operating system is being used.  So figuring out
> EXACTLY what file(s) to 
> grab requires no guess work.  If somebody with super
> user privileges 
> were to open a page that exploited that savety. 
> They could easily have 
> most of the passwords to that system in less than a
> couple days.
> 
> The trick is operating systems encapsulate that
> information fairly well 
> and exercise restrictions on how often or frequently
> a "user" can make 
> login attempts.  For instance most network operating
> systems allow you 
> to restrict a users to X number of failed logins or
> require X number of 
> seconds to pass before another login attempt.  Which
> means a cracker can 
> make a total of say 3 attempts before the account is
> locked, or they 
> would have to wait possibly 3 seconds before they
> could make a second, 
> third... attempt which means it would take them
> about 3 million times 
> longer to use the dictionary attack.
> 
> Cheers,
> Kevin Hanna
> 
> Joris Huizer wrote:
> 
> >This is a savety problem. you could do
> >  <input type="file" value="C:\secrets.txt"
> >style="display:none">
> >
> >assuming a file in dos or windows on C:\secrets.txt
> -
> >and a lack of true savety precautions on this file,
> I
> >could upload you're secrets.
> >
> >
> >Now I think this idea is ridiculous: this theory
> >assumes a webdesigner would know EXACTLY where a
> file
> >is - I think it's save to say such a file must be a
> >system file. Even if you would know where passwords
> >are stored, you can't get through encryption
> (unless
> >we all are at great risc on the internet anyway)
> >
> >
> >--- "Meyer, Stephen" <smeyer01@harris.com> wrote:
> >  
> >
> >>Hello,
> >>  I am having an issue with HTML file selection. 
> On
> >>my page if a value that the
> >>user selected is displayed in the file selection
> >>text field and then a submit
> >>button is selected the value disappears if the
> >>submit had an error.  The html
> >>page has text values and a file selection value
> that
> >>are validated upon submit.
> >>If the validation fails the page returns with an
> >>error message.  All the text
> >>values remain but the value in the file selection
> >>text field is gone.  I can see
> >>it in the 'VALUE=' field if I view the source code
> >>but it does not display on
> >>the page.  Has anyone ran across this issue
> before? 
> >>It happens with IE 5.5 and
> >>Netscape 4.77.  Any help is appreciated.
> >> 
> >>Steve Meyer
> >>
> >>    
> >>
> >
> >
> >__________________________________
> >Do you Yahoo!?
> >The New Yahoo! Search - Faster. Easier. Bingo.
> >http://search.yahoo.com
> >  
> >
> 


__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com
Received on Tuesday, 29 April 2003 03:43:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:55 GMT