RobG wrote:
Seems JavaScript is getting some bad press:
"Security researchers have found a way to use JavaScript
to map a home or corporate network and attack connected
servers or devices, such as printers or routers."
<URL: http://news.zdnet.com/2100-1009_22-6099891.html >
There seems to be quite a bit of FUD happening in regard to
this issue - as far as I can see, JavaScript could have been
used for this for years, it's only now someone has decided
it's a security risk.
I'm not sure what anyone can do with knowing that my printer's
IP is 10.1.1.5, but maybe someone else has a suggestion?
The article includes the statement; "When run, the JavaScript first
determines the internal network address of the PC", which is not
information that javascript can get directly from a web browser. Java
can tell you that (though the security manager for its use inside a web
browser should prevent it from doing so) and ActiveX components can tell
you that (though only the type of ActiveX objects that should be
disabled in the Internet security zone). Apart from that the only
approach I can think of would be trial and error, and that appears to be
the approach taken in article. Specifically; loading the SRC of an Image
object with a likely address and seeing what happens, presumably whether
its onerror or onload handlers are fired (onerror; look elsewhere,
onload; you have learnt something about the system).
A trial and error approach is potentially going to be slow (and may
build up large runtime memory consumption). It is not going to be
practical to scan the entire possible IP range, so I imagine that you
start with variations of likely internal network addresses.
Of course loading an Image SRC with a local network address from a
script originating on the Internet should provoke cross-domain security
restrictions, and as I recall those restrictions apply to Image objects
on Mozilla/Gecko browsers even if IE doesn't seems quite so concerned
(or didn't last time I tried, which was a couple of years ago now).
Richard.
