Fedora Security and the Uverse 3800HGV-B router

Sam Varshavchik mrsam at courier-mta.com
Sun Jul 3 00:42:17 UTC 2011 

JD writes:

> On 07/02/2011 02:42 PM, Sam Sharpe wrote:
> > On 2 July 2011 22:20, JD<jd1008 at gmail.com>  wrote:
> >> On my machine, when I disable javascript, it is unable to display my  
> files.
> >> I understand that the browser is supposed to be able to display your files
> >> with the file:/// URL.
> >> I just was not expecting my router to issue a javascript to
> >> to access my files. And my concern is that any web site can issue a
> >> javascript to access personal files; and most people are unaware of this,
> >> because they are not techies, and do not understand what javascripts
> >> are capable of doing.
> > I don't think you understand. Your browser can access your local
> > files. It is doing so via a file:/// URL. This is not a problem with
> > javascript, this is a feature of your browser. To check this, please
> > type in "file:///" into your browsers address bar manually and you
> > will see that there is no difference in the behaviour. I repeat, this
> > is not a javascript problem and you are getting hysterical over
> > nothing.
> >
> > It is not a security risk because it is showing you the files you have
> > access to on your machine. Javascript has absolutely nothing to do
> > with it apart from sending *you* to the URL.
> >
> When I disabled javascript, the the link in the
> router's page could no longer open
> file:///

What you're missing is that a remote server's ability to instruct your web  
browser to open the contents of file:/// URL is limited to precisely that:  
your web browser opening and displaying the contents of file:///. The remote  
server's javascript has no means of accessing the contents of file:///. Once  
your web browser opens file:///, the previous page from the remote server is  
closed, together with all the javascript that was in it.

If file:/// gets opened in a separte window or a tab, as can be done, the  
javascript running from another window or tab still has no means of  
accessing the contents of another scope, as well. Javascript can only  
access resources that originate from the same scope.

This is a well-understood security model. There have been isolated instances  
in the past, where flaws were discovered in some individual browser's  
security model that allowed some mechanism for running Javascript to access  
content from another scope; occasionally a common flaw was found that was  
shared by several browsers.

Barring your wonderrouter leveraging some hereto unknown security exploit,  
all that your wonderrouter is doing is the equivalent of the HTML that reads

<a href="file:///">Y0U h4ve b33n p0wned</a>

…yawn…

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20110702/35eb6c1c/attachment.bin

More information about the users mailing list