Hi, Harti, 在 2006-06-21三的 08:31 +0200,Harti Brandt写道: > On Wed, 21 Jun 2006, Xin LI wrote: [snip] > XL>successfully exploit the ~/.hosts to get privilege escalation and/or > XL>information disclosure or something else, which could not happen without > XL>~/.hosts? > > Wouldn't this enable the same kind of phishing attacks there are under > windows? As far as I remember there are attacks where the hosts file > (don't remember how its called under windows) is rewriten by a virus/java > script/whatever to contain a different IP address for a given hostname? > Suppose someone fakes the website of www.foobank.com, then manages to > insert www.foobank.com with the wrong IP address into ~/.hosts? Well, if the user would not see a HTTPS certificate before entering his or her password, then it would be highly possible that the user would run under the "root" credential, where /etc/hosts can also be altered. But instead of getting this into a bikeshed, let's see the way we are seeking to make it (to add the functionality as a NSS module). I think a NSS module would provide the functionality yet allowing anyone to choose whether to enable or disable it :-) Cheers, -- Xin LI <delphij delphij net> http://www.delphij.net/
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:57 UTC