28-Mar-2024 21:44 GMT.
UNDER CONSTRUCTION
Anonymous, there are 6 items in your selection
[News] Vaporware make a statement about security issuesANN.lu
Posted on 22-Nov-2001 16:54 GMT by Teemu I. Yliselä6 comments
View flat
View list
Vaporware have issued a statement about the security issues in MUI programs that were recently in the news.
Vaporware make a statement about security issues : Comment 1 of 6ANN.lu
Posted by Ivan Awfulitch on 23-Nov-2001 00:46 GMT
I suppose a few rabbid, brain-dead MUI fans
out there will send me even more hate mail
for this but, i'm not picking sides so hard
cheese. :)
Quote: (interesting read btw)
be very very careful when
doing such seemingly innocent operations involving
file names, and check whether an attempt is made
to open APIPE:
The only purpose of the escape codes is
to offer text formats and images, why leave
the security check to the guy who might never
know of the apipe: hole? Just like it's the
browsers job to scan for
IMG SRC=file:/apipe:<blah blah>, it's MUI's job
to scan for <esc>4:apipe:<blah blah>.
Keep sending the threats loosers, i get a good
laugh from them :)
BTW: If you have apipe: then get the MUI patch.
http://home.wtal.de/js/
or just rip out apipe:
Vaporware make a statement about security issues : Comment 2 of 6ANN.lu
Posted by Oliver Roberts on 23-Nov-2001 09:43 GMT
In reply to Comment 1 (Ivan Awfulitch):
That's all very well, but what about legitimate uses of APIPE: (or other
handlers) in MUI escape sequences? If you make MUI to filter out such
sequences, then it will break legitmate uses as well as filtering out
suspect uses. The key point being that MUI escape sequence are a feature,
not themselves a problem that need to be fixed.
Your point about it being a browsers job to filter out file:///apipe:
and MUI's job to filter out escape sequences contain apipe: doesn't
really stand up at all. It's a question of at what level the problem is
to be fixed - in your example, browser's fix file:// the problem at a
high level, whereas your MUI fix is low level. For you argument to
stand up, you should compare like with like - it would make more sense
if you said it wasn't the browser's job (high level) to filter file://
accesses and instead fix the problem at low level (like your MUI
escape sequence example) by patching dos/Open()!
Vaporware make a statement about security issues : Comment 3 of 6ANN.lu
Posted by kjetil on 23-Nov-2001 20:17 GMT
It is best avoiding using the MUI/APIPE and AWPIPE in web/Internet apps,
as you may some times forget filter some input / output gadgets.
Vaporware make a statement about security issues : Comment 4 of 6ANN.lu
Posted by smithy on 24-Nov-2001 22:33 GMT
Erm, excuse me for sounding ignorant, but what exactly is APIPE? ;)
Vaporware make a statement about security issues : Comment 5 of 6ANN.lu
Posted by Anonymous on 26-Nov-2001 23:25 GMT
In reply to Comment 2 (Oliver Roberts):
Well, we agree on one thing at least,
which level should the problem be
fixed at is a good question. But,
i don't look upon MUI as some
low level library like dos, it's
a far cry from dos,exec, etc.
I'd say its a complex version of
visualprefs but that would be rude
to stefan, it's more than that, but
low level like dos.library? please.
Vaporware make a statement about security issues : Comment 6 of 6ANN.lu
Posted by Ivan Awfulitch on 26-Nov-2001 23:58 GMT
In reply to Comment 5 (Anonymous):
Opps, i wen't anon up there diden't i? :)
Anonymous, there are 6 items in your selection
Back to Top