|
|
Posted by wylbur37 on 06/01/06 06:35
Martin Jay wrote:
> In message <1149101295.601620.259980@c74g2000cwc.googlegroups.com>,
> wylbur37 <wylbur37nospam@yahoo.com> writes
> >
> >What's the use of Mozilla/Firefox refusing to honor links to local
> >files "for security reasons" when any website can still access
> >a user's files anyway by means of a PHP script?
>
> I don't understand what you mean. Can you give an example of a PHP
> script, running on a server, being able to access files on a user's
> (client) machine?
In my original posting, when I described running a PHP script called
test3.php on my localhost Apache server (where the server and the
client are on the same physical computer), I could also include code
that reads and writes to the c: drive, so I assumed that if that same
script were installed on a physically remote server, it would also be
able to read and write to the C: drive of my computer if I were to
visit the webpage with that PHP script.
But now I realize that if that were the case, the C: drive that would
be accessed would be the one on the *server's* computer and not *my*
computer. Is that correct?
By the way, the informative webpage mentioned
(http://kb.mozillazine.org/Links_to_local_pages_don't_work)
said that ...
For security purposes, Firefox and Mozilla Suite block links to
local files (and directories) from remote files. This includes
linking to files on your hard drive, on mapped network drives, and
accessible via UNC paths. This prevents a number of unpleasant
possibilities, including:
* Allowing sites to detect your operating system by checking
default installation paths
* Allowing sites to exploit system vulnerabilities (e.g.,
C:\con\con in Windows 95/98)
* Allowing sites to detect browser preferences or read sensitive
data
Could someone explain how the above three "unpleasant possibilities"
could actually happen?
Navigation:
[Reply to this message]
|