Date: Wed, 21 Jun 2006 17:51:19 +0800 From: Xin LI <delphij@delphij.net> To: Harti Brandt <harti@freebsd.org> Cc: Mike Jakubik <mikej@rogers.com>, freebsd-current@freebsd.org, Justin Hibbits <jrh29@eecs.cwru.edu> Subject: Re: ~/.hosts patch Message-ID: <1150883479.78122.20.camel@spirit> In-Reply-To: <20060621082734.Q24109@beagle.kn.op.dlr.de> References: <C41481BC-89F3-457E-9FD0-CB85CE7B93E7@eecs.cwru.edu> <4498D108.90907@rogers.com> <20060621053007.GA3320@odin.ac.hmc.edu> <4498DF20.8020803@rogers.com> <1150870137.78122.14.camel@spirit> <20060621082734.Q24109@beagle.kn.op.dlr.de>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Hi, Harti, 在 2006-06-21三的 08:31 +0200,Harti Brandt写道: > On Wed, 21 Jun 2006, Xin LI wrote: [snip] > XL>successfully exploit the ~/.hosts to get privilege escalation and/or > XL>information disclosure or something else, which could not happen without > XL>~/.hosts? > > Wouldn't this enable the same kind of phishing attacks there are under > windows? As far as I remember there are attacks where the hosts file > (don't remember how its called under windows) is rewriten by a virus/java > script/whatever to contain a different IP address for a given hostname? > Suppose someone fakes the website of www.foobank.com, then manages to > insert www.foobank.com with the wrong IP address into ~/.hosts? Well, if the user would not see a HTTPS certificate before entering his or her password, then it would be highly possible that the user would run under the "root" credential, where /etc/hosts can also be altered. But instead of getting this into a bikeshed, let's see the way we are seeking to make it (to add the functionality as a NSS module). I think a NSS module would provide the functionality yet allowing anyone to choose whether to enable or disable it :-) Cheers, -- Xin LI <delphij delphij net> http://www.delphij.net/ [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQBEmRaXhcUczkLqiksRAhwEAJ9iUSgKzlLw4slnS64MPRt9HwZ98QCgyi6y QpFvOq/lDw4QP4FxOvXJQqw= =lB2Z -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1150883479.78122.20.camel>