[4618] in WWW Security List Archive
Re: Javascript run program
daemon@ATHENA.MIT.EDU (Henri Torgemane)
Fri Feb 28 18:24:24 1997
From: "Henri Torgemane" <Henri.Torgemane@etu.utc.fr>
To: <www-security@ns2.rutgers.edu>
Date: Thu, 30 Jan 1997 15:37:40 -0500
Errors-To: owner-www-security@ns2.rutgers.edu
> Hello
>
> I read in a magazine that it was possible to run some programm using
> Javascript.
>
> For example shell access, E-Mail send, and several other things,
> without asking the user.
>
> Where can I get more informtions about that ?
>
> Thanxs a lot
>
> Olivier
>
The official version is " Javascript is secure because it runs in a
sand-box, so nothing
evil can ever happen. "
Now.. There have been some security flaws in some old releases of Navigator
(2.0, mainly).
But javascript has never allowed anybody to get a shell access.
In fact, the current release of Netscape Navigator is pretty safe.
It was possible with 3.0 to make you send an e-mail without your knowledge,
but this
has been corrected in 3.01.
The only way you can get a shell access with a web server is by using a
hole in a cgi,
like phf. But this is a server-side threat.
Now, with Navigator 4.0, javascript should be able to do a lot of things
previously
inhibited for security reasons. But this will be controlled by a security
mechanism
( probably some certificates ), and I hope you'll be able to select
precisely what you
want to allow or not.
BTW, I'd like to know in which magazine you found this kind of propaganda..
( J'imagine que c'est un magazine francais.. )
Henri
--
Henri.Torgemane@etu.utc.fr http://hpweb.utc.fr/~htorgema/
