Re: Fedora Security and the Uverse 3800HGV-B router

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07/01/2011 08:57 PM, john wendel wrote:
> On 07/01/2011 08:45 PM, JD wrote:
>> I am writing this message with the hope that someone on this
>> list has this uverse router.'
>> When I use Firefox to browse to this router (192.168.1.254),
>> it displays the "Home" machines connected to the network.
>> For each machine it displays:
>> a tv icon,  it's name, and a link named "Access FIles"
>> and another link named "Device Details".
>>
>> If I click on any machine's "Acess FIles" link, it
>> displays my Fedora's  /  directory completely.
>>
>> I have no ftp daemon running.
>> I have no apache running.
>> In fact I do not have ANY internet server running.
>>
>> So how in blazes is the router able to display my
>> entire system's files?
>>
>> If I aim my browser at my own IP address,
>> I get
>> Unable to connect
>> Firefox can't establish a connection to the server at 192.168.1.201.
>>
>> So how is the router doing it?
>> This is a very disconcerting security hole and I have not been
>> able to nail it down to any daemon running on my Fedora.
>>
>> Thanks for your insights.
>>
>> JD
> Your router isn't displaying the files, your browser is, so it doesn't
> need a network connection. Though I must admit, I don't know how it's
> done.  Maybe you should examine the html source.
>
> John
You are right.
It turns out it does it via the intruder which the whole
world was deceived by Sun that it only plays in a sandbox
and has no access to anything outside that sandbox: Javascript.

So I used noscript to disable scripts from 192.168.1.254
and access to my drive went away.

When will the linux community wake up and shout out loud:
Kill JavaScript from all browsers and all network servers
and network clients.
It is THE trojan horse hiding in plain site and can access
EVERYTHING on your system that YOU have access to and
send it back to whatever destination the javascript was
written to send it to.

Common people! JAVASCRIPT being executed by your
browser on  your system is a HUGE WIDE OPEN SECURITY HOLE!!!


-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux