<OT> VBscript in html: Security threat?
Roger Oberholtzer
roger
Mon May 17 11:51:43 PDT 2004
That is why if we want to use fancy client-side scripting, we use tcl/tk. It
has always had a concept of a safe mode, which in the browser plugins is the
default. Anything that access a local resource beyond mouse/keyboard/display
is simply not available. The commands do not even exist in the
interpreter. Of course, as a sysadmin, you 'could' allow more. Just before
looking for that new job.
On Wed, 27 Aug 2003 17:45:07 -0700
Condon Thomas A KPWA <tcondon at kpt.nuwc.navy.mil> wrote:
> Joel Hammer wrote:
> > I see that vbscript can be embedded in html.
> >
> > Javascript was written to make it very hard to attack the client
> > computer, whereas vbscript doesn't have these safeguards built in,
> > does it? VBscript can do a lot of stuff, like write to your hard
> > drive and run windows software. It really is a beaut.
>
> But we know *everybody* wants to run windows software. This is a *favor*
> they are doing us.
>
> > It would seem like child's play to encode malicious things in vbscript
> > and let the IE users get whacked. If IE somehow was protected against
> > running this program, it would be easy to make a vbscript a payload
> > (cool screen saver!) and then have the unlucky user click on it and
> > run it.
--
+????????????????????????????+???????????????????????????????+
? Roger Oberholtzer ? E-mail: roger at opq.se ?
? OPQ Systems AB ? WWW: http://www.opq.se/ ?
? Erik Dahlbergsgatan 41-43 ? Phone: Int + 46 8 314223 ?
? 115 34 Stockholm ? Mobile: Int + 46 733 621657 ?
? Sweden ? Fax: Int + 46 8 302602 ?
+????????????????????????????+???????????????????????????????+
More information about the Linux-users
mailing list