~/.hosts patch
Xin LI
delphij at delphij.net
Wed Jun 21 09:51:36 UTC 2006
Hi, Harti,
在 2006-06-21三的 08:31 +0200,Harti Brandt写道:
> On Wed, 21 Jun 2006, Xin LI wrote:
[snip]
> XL>successfully exploit the ~/.hosts to get privilege escalation and/or
> XL>information disclosure or something else, which could not happen without
> XL>~/.hosts?
>
> Wouldn't this enable the same kind of phishing attacks there are under
> windows? As far as I remember there are attacks where the hosts file
> (don't remember how its called under windows) is rewriten by a virus/java
> script/whatever to contain a different IP address for a given hostname?
> Suppose someone fakes the website of www.foobank.com, then manages to
> insert www.foobank.com with the wrong IP address into ~/.hosts?
Well, if the user would not see a HTTPS certificate before entering his
or her password, then it would be highly possible that the user would
run under the "root" credential, where /etc/hosts can also be altered.
But instead of getting this into a bikeshed, let's see the way we are
seeking to make it (to add the functionality as a NSS module). I think
a NSS module would provide the functionality yet allowing anyone to
choose whether to enable or disable it :-)
Cheers,
--
Xin LI <delphij delphij net> http://www.delphij.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: =?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?=
=?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8=E5=88=86?=
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20060621/9e463cba/attachment.pgp
More information about the freebsd-current
mailing list