-
April 5th, 2004, 06:14 PM
#1
Junior Member
Is it possible for site to read or write to (other than cookies) users' computers?
Is it possible for site to read or write to (other than cookies) users' computers?
For example:
1. placing a file, not damaging, on harddrive when cookie is disabled, to be read upon each visit
OR
2. reading contents of user's home directory in 'my documents'
-
April 5th, 2004, 06:18 PM
#2
Spyware comes to mind. That can install itself on your machine if you browse a website.
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
-
April 5th, 2004, 07:07 PM
#3
its possible to download a file by falsifying mime type but you can not read it. you might also wind up in jail doing it. you cannot view the contents of someone’s computer without hacking into it. if you want to track someone without cookies look into the use of Etags and other header tages
there are java scripts which can make a user think the contents of their computer is being viewed on line but it is only seen on the local computer .by clicking on a link that points to a folder on the local computer much like typing the location in the address bar (hope i explained that ok)
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
April 5th, 2004, 08:07 PM
#4
In simple terms the answer is "yes"................a malicious site could run stuff on your machine........obviously the software manufacturers issue updates to counteract this sort of activity, but it is technically quite possible.
CERT have a lot of stuff on this sort of thing. SANS as well?
I would have thought that you would be more liable to attack via your network though, unless you are in the habit of browsing "those" sorts of site
If it is a pr0n site I would expect you to get a browser hijacker or the like............from WAREZ sites you could get anything?
Just my thoughts based on cleaning up a load of systems in the past few months?
Cheers
-
April 5th, 2004, 08:58 PM
#5
I'd recommend sifting through SANS' Reading Room on various topics. It is fairly comprehensive, and is a highlight of works done by various SANS cert graduates (GSEC, GCUX, GIAC, etc).
It can be found at: http://www.sans.org/rr/
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
April 5th, 2004, 10:28 PM
#6
Also Flash can store Local Sharred objects on a persons PC - very much like a cookie. These Sharred objects can be written by flash and also read by flash.
more info on Local Sharred Objects here
I know these can be disabled through your flash player - by default I think is on....the person viewing the site must also have the lastest flash player installed. Am not sure but because the browser is not writing the cookie - flash is it may by pass peoples settings if they have asked their browser not to acept cookies. May need to have this confirmed though as I have worked very little with Local Sharred Objects.
v_Ln
-
April 5th, 2004, 10:48 PM
#7
As already pointed out, you can block Flash Shared objects, much like cookies. But yeah, spyware seems to install itself fairly easy, of course you can have some very strict settings on your browser. Unfortunately, it might be that some website content will not be available.
And, Tedob1, is it through such JavaScripts that some websites [pop-ups] can show the content of your HDD in a browser window? I mean, is it executed locally - meaning the website does not really have any information about you - or is it truly remote, meaning that some information can be obtained through such applets?
I hope that's phrased all right.
/ \\
-
April 5th, 2004, 11:08 PM
#8
As already pointed out, you can block Flash Shared objects, much like cookies.
yup but most users will not be aware of flashes ability to store such objects never mind know how to disable them. IMHO more people ahve heard of cookies (as well as the scare stories) than have heard of Flash's Locally Sharred Objects
v_Ln
-
April 5th, 2004, 11:25 PM
#9
Websites have the same permissions over your system as the web browser process.
Many people worry about getting a secure web browser, while what they should be doing is limiting the browser's (whichever it is) power. (running it in a sandbox or under the UID of a very weak user spring to mind.)
catch
-
April 6th, 2004, 12:28 AM
#10
ok had to check the flash thing....
wrote a small file that would write a test LSO to the users HD and then attmpt to view it - if file not found then obviously is being blocked by browser - if found then i could deduct that the browser settings have no effect on wether or not flash stores its own LSO
tested it in IE and Opera - with all cookies disabled....flash could still read & write
just to be sure there wasn't a problem, with my coding i went to double check online and found this page on macromedia's site
it was able to remember my name and number of visits even without cookies enabled....set IE to prompt for cookies it showed prompt but not for the flash file as even when i turned down the prompts it could still remember number of visits name.
Also came across this site by macromedia to enable you to change your flash player settings
v_Ln
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|