Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search

[REBOL] Re: Security hole ? (was: image memory representation)

From: carl:cybercraft at: 24-Aug-2001 17:39

On 24-Aug-01, Anton wrote:
>>> Supposing an evil program made a very large >>> image this way, but only initialized a tiny >>> bit as seen already. Then it could scan >>> lots of rebol memory, and if it was smart, >>> might be able to get a username and password, >>> if the user had set these previously. >> >> interesting thoughts :-) >> >>> I wonder about the memory situation with >>> launched programs. Running launched programs >>> using the Desktop is the most likely way >>> for the user to run something without >>> looking at the code. >> >> Yes, but you live in a sandbox, don't you? So, if any app tries >> to read, write >> outside your sandbox, rebol asks you for permission - it is up to >> you then ... >> >> -pekr- > What I meant was... envisage this situation: - First, start rebol in > console, - access your ftp site, storing user and pass in a couple > of strings. - run desktop > - launch and run an "evil" program > Is rebol memory pool the same for the launched program as in > the console at the first point?
I wouldn't think so, as a new REBOL is run for every script launched from the Desktop. Not too efficient, but it does add to security.
> If so, then it's possible that the evil program can send away user > and password. Then evil programmer can freely access the ftp > site. Muhahahahaaa.r.rgg..<cough> > This way does not rely on read/write access, because it reads > an image it has allocated "properly". > Anyway, I can see this bug being fixed pretty soon. > Anton.
-- Carl Read