On Wed, May 30, 2001 at 11:46:59PM +1200, David McNab wrote:
> > Really? It handles unicode scripts, or does it just block all HTTP access
> from
> > freenet pages? The latter could still lead to anonymity loss if javascript
> can
> > insert into freenet via POST on the portal page.
>
> For this reason, the fwproxy is not supporting POST within Freenet.
> Any javascript POSTing to the web will be blocked, and POSTs to Freenet will
> be ignored
Cool. We should have an option in the fproxy config to disable POSTing. Though
I imagine some people use fproxy to insert things ("ease of use" again :) ).
And I'd still be a little concerned re scripting - if you have a full scripting
language, it may be possible for it to do bad things. Not sure how though :|
Full blown exploits are one option; most browser exploits are exploited via
javascript. JS can't connect directly to anything, or keep state across pages?
How much can it access re the local system? I seem to remember that you can do
a timing attack with javascript to find out if a given page is in the browser's
cache; this would be much more effective on freenet. You do need a way to get
the info back, though... anything based on requests is going to be really slow,
inefficient, unreliable, but maybe just possible sometimes... Of course there's
social engineering too, but that can usually yield results without scripting :)
E.G. "UCITA is evil. Please send a fax to your local representative at this URL.
We can't do this through freenet because we need to send information back to the
server which will be converted to a fax. You will need to close your browser and
restart it with the new URL to avoid the anonymity filter blocking it.
http://www.mallory.net/cgi-bin/faxrep.cgi?name=blurb&browser=mozilla-4.77-linux&visitedsnarfoo=yes&visitedgj=yes&visitedevil=yes&downloadedpiratedmusic=...
:)
>
>
> ----- Original Message -----
> From: "toad" <matthew at toseland.f9.co.uk>
> To: <devl at freenetproject.org>
> Sent: Wednesday, May 30, 2001 23:43
> Subject: Re: [freenet-devl] Content filter vs unicode
>
>
> > On Wed, May 30, 2001 at 11:27:25PM +1200, David McNab wrote:
> > > Hate to say this, but the FWproxy withing Freeweb is immune to this
> problem
> > > :)
> > Really? It handles unicode scripts, or does it just block all HTTP access
> from
> > freenet pages? The latter could still lead to anonymity loss if javascript
> can
> > insert into freenet via POST on the portal page.
> > >
> > > ----- Original Message -----
> > > From: toad
> > > To: devl at freenetproject.org
> > > Sent: Wednesday, May 30, 2001 23:21
> > > Subject: [freenet-devl] Content filter vs unicode
> > >
> > > The attached file (recently posted to bugtraq by "eDvice Security
> Services"
> > > <support at edvicetech.com> as an exploit to another filter proxy) is
> picked
> > > up by
> > > fproxy's filter, but only the meta tag that sets the character set.
> This is
> > > used
> > > by, for example, the Freenet China News sites, though they use
> charset=
> > > gb2312
> > > (and have hyperlinks; they are picked up on the content filter on
> both
> > > counts).
> > > Point is, any foreign language web page, even without hyperlinks,
> will trip
> > > the
> > > filter. Therefore foreign language freesite readers will turn off
> the
> > > content
> > > filter. Isn't there some java support for this stuff? (finding which
> chars
> > > could
> > > correspond to an "<script" ?).
--
Always hardwire the explosives
-- Fiona Dexter quoting Monkey, J. Gregory Keyes, Dark Genesis
_______________________________________________
Devl mailing list
Devl at freenetproject.org
http://lists.freenetproject.org/mailman/listinfo/devl
