Is it possible for site to read or write to (other than cookies) users' computers?
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Is it possible for site to read or write to (other than cookies) users' computers?

  1. #1
    Junior Member
    Join Date
    Apr 2004
    Posts
    6

    Is it possible for site to read or write to (other than cookies) users' computers?

    Is it possible for site to read or write to (other than cookies) users' computers?

    For example:
    1. placing a file, not damaging, on harddrive when cookie is disabled, to be read upon each visit

    OR

    2. reading contents of user's home directory in 'my documents'

  2. #2
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Spyware comes to mind. That can install itself on your machine if you browse a website.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    its possible to download a file by falsifying mime type but you can not read it. you might also wind up in jail doing it. you cannot view the contents of someone’s computer without hacking into it. if you want to track someone without cookies look into the use of Etags and other header tages

    there are java scripts which can make a user think the contents of their computer is being viewed on line but it is only seen on the local computer .by clicking on a link that points to a folder on the local computer much like typing the location in the address bar (hope i explained that ok)
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    In simple terms the answer is "yes"................a malicious site could run stuff on your machine........obviously the software manufacturers issue updates to counteract this sort of activity, but it is technically quite possible.

    CERT have a lot of stuff on this sort of thing. SANS as well?

    I would have thought that you would be more liable to attack via your network though, unless you are in the habit of browsing "those" sorts of site

    If it is a pr0n site I would expect you to get a browser hijacker or the like............from WAREZ sites you could get anything?

    Just my thoughts based on cleaning up a load of systems in the past few months?

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    I'd recommend sifting through SANS' Reading Room on various topics. It is fairly comprehensive, and is a highlight of works done by various SANS cert graduates (GSEC, GCUX, GIAC, etc).

    It can be found at: http://www.sans.org/rr/
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  6. #6
    Flash M0nkey
    Join Date
    Sep 2001
    Posts
    3,447
    Also Flash can store Local Sharred objects on a persons PC - very much like a cookie. These Sharred objects can be written by flash and also read by flash.

    more info on Local Sharred Objects here

    I know these can be disabled through your flash player - by default I think is on....the person viewing the site must also have the lastest flash player installed. Am not sure but because the browser is not writing the cookie - flash is it may by pass peoples settings if they have asked their browser not to acept cookies. May need to have this confirmed though as I have worked very little with Local Sharred Objects.

    v_Ln

  7. #7
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    As already pointed out, you can block Flash Shared objects, much like cookies. But yeah, spyware seems to install itself fairly easy, of course you can have some very strict settings on your browser. Unfortunately, it might be that some website content will not be available.

    And, Tedob1, is it through such JavaScripts that some websites [pop-ups] can show the content of your HDD in a browser window? I mean, is it executed locally - meaning the website does not really have any information about you - or is it truly remote, meaning that some information can be obtained through such applets?

    I hope that's phrased all right.
    /\\

  8. #8
    Flash M0nkey
    Join Date
    Sep 2001
    Posts
    3,447
    As already pointed out, you can block Flash Shared objects, much like cookies.
    yup but most users will not be aware of flashes ability to store such objects never mind know how to disable them. IMHO more people ahve heard of cookies (as well as the scare stories) than have heard of Flash's Locally Sharred Objects

    v_Ln

  9. #9
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Websites have the same permissions over your system as the web browser process.

    Many people worry about getting a secure web browser, while what they should be doing is limiting the browser's (whichever it is) power. (running it in a sandbox or under the UID of a very weak user spring to mind.)

    catch

  10. #10
    Flash M0nkey
    Join Date
    Sep 2001
    Posts
    3,447
    ok had to check the flash thing....

    wrote a small file that would write a test LSO to the users HD and then attmpt to view it - if file not found then obviously is being blocked by browser - if found then i could deduct that the browser settings have no effect on wether or not flash stores its own LSO

    tested it in IE and Opera - with all cookies disabled....flash could still read & write

    just to be sure there wasn't a problem, with my coding i went to double check online and found this page on macromedia's site

    it was able to remember my name and number of visits even without cookies enabled....set IE to prompt for cookies it showed prompt but not for the flash file as even when i turned down the prompts it could still remember number of visits name.

    Also came across this site by macromedia to enable you to change your flash player settings

    v_Ln

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •