Re: [Full-Disclosure] shell:windows command question
Date: Thu Jul 08 2004 - 09:29:31 EDT
Andreas Sandblad wrote:
>Did some quick search on Bugzilla and came up with the following:
>
>Mozilla allows external protocols as discussed in:
>http://bugzilla.mozilla.org/show_bug.cgi?id=167475
>They seem to blacklist the following external protocol handlers:
>(patch http://bugzilla.mozilla.org/attachment.cgi?id=102263&action=view)
>hcp, vbscript, javascript, ms-help, vnd.ms.radio
>
>A simple solution would be to add the shell protocol to this list.
>Personally I think a secure blacklist is hard to maintain as new
>dangerous external protocols could be invented by third-parties leaving
>Mozilla vulnerable again.
>
>
>
Completely agreed.
There should be a whitelist, not a blacklist... a safe protocols list.
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Thu Jul 08 10:57:50 2004
This archive was generated by hypermail 2.1.8 : Thu Jul 08 2004 - 11:02:55 EDT
