- From: Peter Sorotokin <psorotok@adobe.com>
- Date: Thu, 04 Nov 2004 12:37:04 -0800
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- Cc: www-svg@w3.org
At 01:19 PM 11/4/2004 -0600, Boris Zbarsky wrote: >Peter Sorotokin wrote: >>>The problem is that it allows evil.com, say, to make it look like John >>>Smith, who was just looking at the nice SVG image on evil.com, was >>>sending spam through the mail servers run by randomisp.net... >>But evil.com would have to hack randomisp.net site and inject its code there. > >No, it would not. It would just need to make John's computer make (or try >to make) a socket connection to randomisp.net. This could happen >automatically the moment John loads an evil.com webpage. I would not be >surprised if certain kinds of connection attempts are illegal in some >jurisdictions within a few years' time. Cross-host connections are certainly outlawed. Even for URLRequest. >>Essentially, two things have to happen: hackable HTTP server and open >>SMTP server on the same machine. They do happen - and that is the >>problem, not Socket APIs. > >No, the hackable HTTP server is absolutely not required here. The open >SMTP server makes the problem worse, but the problem is there even without >the open SMTP server. > >>>Since the socket connection is made from John Smith's machine > >This was the key part. Did you notice it? Certainly, it is just I was under assumptions that everyone understood that cross-host connections are not allowed. So evil.org page can connect only back to evil.org server. Peter >>What if randomisp.net also allows sending mail through port 80 (Web >>Service or some sort of custom POST, etc)? > >Of course. You have to block both access to random ports and access to any >host but the originating one... Which radically reduces utility, >unfortunately :(. > >-Boris
Received on Thursday, 4 November 2004 20:37:31 UTC