Re: SVG 1.2 Comment: B.2.3 Socket Connections

Peter Sorotokin wrote:
>> The problem is that it allows evil.com, say, to make it look like John 
>> Smith, who was just looking at the nice SVG image on evil.com, was 
>> sending spam through the mail servers run by randomisp.net...
> 
> But evil.com would have to hack randomisp.net site and inject its code 
> there.

No, it would not.  It would just need to make John's computer make (or 
try to make) a socket connection to randomisp.net.  This could happen 
automatically the moment John loads an evil.com webpage.  I would not be 
surprised if certain kinds of connection attempts are illegal in some 
jurisdictions within a few years' time.

> Essentially, two things have to happen: hackable HTTP server and 
> open SMTP server on the same machine. They do happen - and that is the 
> problem, not Socket APIs.

No, the hackable HTTP server is absolutely not required here.  The open 
SMTP server makes the problem worse, but the problem is there even 
without the open SMTP server.

>> Since the socket connection is made from John Smith's machine

This was the key part.  Did you notice it?

> What if randomisp.net also allows sending mail through port 80 (Web 
> Service or some sort of custom POST, etc)?

Of course. You have to block both access to random ports and access to 
any host but the originating one...  Which radically reduces utility, 
unfortunately  :(.

-Boris

Received on Thursday, 4 November 2004 19:20:01 UTC