From: Arne Babenhauserheide <arne_bab@web.de>
To: Christopher Allan Webber <cwebber@dustycloud.org>
Cc: guile-user@gnu.org, guile-devel@gnu.org
Subject: Re: Guile security vulnerability w/ listening on localhost + port (with fix)
Date: Sun, 16 Oct 2016 21:51:27 +0200 [thread overview]
Message-ID: <871szgvzr4.fsf@web.de> (raw)
In-Reply-To: <87lgxo9vx8.fsf@dustycloud.org>
[-- Attachment #1: Type: text/plain, Size: 1016 bytes --]
Christopher Allan Webber writes:
> browsers do and don't allow, but I'm stunned that a browser will let a
> request from some http://foo.example/ to http://localhost:37146/, even
> for just a GET. It seems like there are all sorts of daemons you can
> exploit that way.
This can be pretty useful for embedding an iframe with a local service
(I do that for babcom[1]: Decentralized comments over Freenet, sadly still
pretty slow, because I’m using an in-Freenet system for that which
wasn’t optimized for the usecase).
On the downside, companies use the same methods to connect local
services with playback-restrictions (DRM) which aren’t easily doable via
the web alone. Likely this is the reason why it’s still possible, though
I’d wish it were the other way round (possible for the good usages, not
possible for the problematic-but-profitable ones)…
[1]: http://www.draketo.de/proj/freecom/
Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein
ohne es zu merken
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 800 bytes --]
next prev parent reply other threads:[~2016-10-16 19:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-11 14:01 Guile security vulnerability w/ listening on localhost + port (with fix) Christopher Allan Webber
2016-10-12 15:49 ` Nala Ginrut
2016-10-12 16:11 ` Thompson, David
2016-10-14 21:55 ` Lizzie Dixon
2016-10-16 15:05 ` Christopher Allan Webber
2016-10-16 19:51 ` Arne Babenhauserheide [this message]
2016-10-17 1:39 ` Lizzie Dixon
2017-02-26 18:22 ` Andy Wingo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/guile/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871szgvzr4.fsf@web.de \
--to=arne_bab@web.de \
--cc=cwebber@dustycloud.org \
--cc=guile-devel@gnu.org \
--cc=guile-user@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).