[WEB4LIB] Re: Accessing documents in multiple frames
Keith Higgs
dkh2 at po.cwru.edu
Thu Aug 22 16:11:02 EDT 2002
> -----Original Message-----
> From: web4lib at webjunction.org
> [mailto:web4lib at webjunction.org] On Behalf Of Eric Hellman
> Sent: Thursday, August 22, 2002 03:21 PM
> To: Multiple recipients of list
> Subject: [WEB4LIB] Re: Accessing documents in multiple frames
>
>
> since a javascript can talk to its source, if you let javascript read
> remote documents, then you would be letting the source of the
> javascript read any document you had access to, which would be a
> security issue to say the least.
>
> it helps sometimes to try thinking like a hacker.
>
Even scarier:
If your script is "signed" (think VeriSign digital certificate) your
Javascript code has access to a hornets nest of nasty methods that allow
it to access the client system all the way down to the ability to modify
the registry, execute programs, read/alter/delete files, and reformat
your drive. Browser security is such that in the absence of a digital
certificate that is specific to the script, an SSL certificate for the
server will be accepted. Thus, 1337_H4X0R_Dud3 ("leet hacker dude" for
those who don't read "leet speak") writes a script that does nasty
stuff, gets it hosted a SSL secured server, redirects you to an HTTPS://
URL that calls their code and can own you. This is why so many people
disable Javascript in their browser.
A return to sanity: Although this is possible, for somebody who has the
inclination and knowledge to hack your system there are easier methods
than via Javascript.
D. Keith Higgs <mailto:dkh2 at po.cwru.edu>
Case Western Reserve University, Webmaster - University Library
Additional Information at http://www.cwru.edu/UL/
"Follow the white rabbit."
More information about the Web4lib
mailing list