Re: SVG 1.2 Comment: B.2.3 Socket Connections

At 01:19 PM 11/4/2004 -0600, Boris Zbarsky wrote:
>Peter Sorotokin wrote:
>>>The problem is that it allows evil.com, say, to make it look like John 
>>>Smith, who was just looking at the nice SVG image on evil.com, was 
>>>sending spam through the mail servers run by randomisp.net...
>>But evil.com would have to hack randomisp.net site and inject its code there.
>
>No, it would not.  It would just need to make John's computer make (or try 
>to make) a socket connection to randomisp.net.  This could happen 
>automatically the moment John loads an evil.com webpage.  I would not be 
>surprised if certain kinds of connection attempts are illegal in some 
>jurisdictions within a few years' time.

Cross-host connections are certainly outlawed. Even for URLRequest.


>>Essentially, two things have to happen: hackable HTTP server and open 
>>SMTP server on the same machine. They do happen - and that is the 
>>problem, not Socket APIs.
>
>No, the hackable HTTP server is absolutely not required here.  The open 
>SMTP server makes the problem worse, but the problem is there even without 
>the open SMTP server.
>
>>>Since the socket connection is made from John Smith's machine
>
>This was the key part.  Did you notice it?

Certainly, it is just I was under assumptions that everyone understood that 
cross-host connections are not allowed. So evil.org page can connect only 
back to evil.org server.

Peter


>>What if randomisp.net also allows sending mail through port 80 (Web 
>>Service or some sort of custom POST, etc)?
>
>Of course. You have to block both access to random ports and access to any 
>host but the originating one...  Which radically reduces utility, 
>unfortunately  :(.
>
>-Boris

Received on Thursday, 4 November 2004 20:37:31 UTC