[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Guile security vulnerability w/ listening on localhost + port (with
|
From: |
Arne Babenhauserheide |
|
Subject: |
Re: Guile security vulnerability w/ listening on localhost + port (with fix) |
|
Date: |
Sun, 16 Oct 2016 21:51:27 +0200 |
|
User-agent: |
mu4e 0.9.16; emacs 24.5.1 |
Christopher Allan Webber writes:
> browsers do and don't allow, but I'm stunned that a browser will let a
> request from some http://foo.example/ to http://localhost:37146/, even
> for just a GET. It seems like there are all sorts of daemons you can
> exploit that way.
This can be pretty useful for embedding an iframe with a local service
(I do that for babcom[1]: Decentralized comments over Freenet, sadly still
pretty slow, because I’m using an in-Freenet system for that which
wasn’t optimized for the usecase).
On the downside, companies use the same methods to connect local
services with playback-restrictions (DRM) which aren’t easily doable via
the web alone. Likely this is the reason why it’s still possible, though
I’d wish it were the other way round (possible for the good usages, not
possible for the problematic-but-profitable ones)…
[1]: http://www.draketo.de/proj/freecom/
Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein
ohne es zu merken
signature.asc
Description: PGP signature