Fedora Security and the Uverse 3800HGV-B router

Sat Jul 2 23:39:28 UTC 2011

On 07/02/2011 10:39 AM, Marko Vojinovic wrote:
> On Saturday 02 July 2011 15:50:18 JD wrote:
>> On 07/02/2011 01:32 AM, Reindl Harald wrote:
>>> Am 02.07.2011 06:14, schrieb JD:
>>>> It is THE trojan horse hiding in plain site and can access
>>>> EVERYTHING on your system that YOU have access to and
>>>> send it back to whatever destination the javascript was
>>>> written to send it to.
>>> if you would have a little background you would know that
>>> as example you can not select and upload files as example
>> If a javascript can browse all accessible files, what's there
>> to prevent someone from writing a javascript to spawn
>> a process to upload your files?
> Permissions system? While the contents of / directory can be listed by just
> about any user on the system, it's a completely different story for writing to
> it. Also, can you browse through home directories of other users from the
> router? I doubt.
>
Good question.
The dirs whose owners set to 0700 perms,
I cannot browse.
As I said, the script allows access to files that
the current user, accessing the web, has access to.
So, one's own personal files are at risk, and files of
other users which have permissive perms are at
risk.
As far as writing, the script is running with the user
credentials. Why would it not be able to write to or
delete the user's own files or other users' files which
have permissive perms settings?

>> A simpler example, how do you think a javascript can
>> tell that you have been to some particular site?
>> It uploads your cookies.
>>
>>>> Common people! JAVASCRIPT being executed by your
>>>> browser on  your system is a HUGE WIDE OPEN SECURITY HOLE!!!
>>> so stop whining and install "noscript" and click not on every link
>>> wanting remove javascript from the browsers is polemic and childish
>> Yes, I do have noscript.
>> And in addition, Firefox gives us  the option
>> to disable javascript under the tab
>> Edit->Preferences->Content
>> However, hundreds of millions of people are
>> oblivious to this threat.
> While I don't particularly like javascript myself, I disagree that it is a
> serious security threat. At least on Linux (Windows is a completely different
> story).
Actually, I found windows unprivileged users are
unable to browse other user's directories in
C:\documents and settings\UserX for example.
I am not sure how a windows user can set the perms
of his files dirs to make them visible to others without
deliberately setting those files and dirs to be SHARED.
On linux, a user exposes his files and dirs by the perms
settings.

>> If it is not made a public issue, people will not
>> become aware of it and continue to be invaded
>> and their personal files be compromised.
>> And I was not expecting the router to send
>> such javascript at me, so I had allowed scripts for it.
>> What a surprise that was!
> When you see a person dissapear from a magician's box and reappears on the
> other side of the stage, are you equally suprised that the magician has
> supernatural powers that nobody bothers to investigate?
>
> Or is it just a simple con?
>
> Go create a new dummy user on your machine, create somefile.txt in his home
> directory, log in as yourself and try to view the file using the router. If you
> succeed, the permissions on your system are compromised. If you don't, then
> you are fussing over that router more than it's worth. In both cases I doubt
> that javascript has much to do with it.
As stated above, if the perms are set to... say 0700 on the
user's home dir, then no I cannot browse it by the browser.

And this is NOT the issue I was raising, so you diverge quiet a bit.

It is the fact that as javascript sent by web site can indeed
open my files and can upload them to a remote site.