There are exploits in the wild where malicious javascript is used to take over the router/gateway using known default username/password combinations.
And if it can scan the internal network it can be used to attack it, or simply to proxy attacks... On Wed, Jul 9, 2008 at 4:22 PM, Jimmy Hendrix <[EMAIL PROTECTED]> wrote: > I would love to see the code to do that. Although it is worth noting that > an internal port scan isn't worth much since you would need to crack the > perimeter firewall or take full control of the machine through some other > method before the info is worth anything. Otherwise you would know what > ports are open, but the firewall would stop you from exploiting them. > > Jimmy > > On Wed, Jul 9, 2008 at 3:57 PM, M. Bitner <[EMAIL PROTECTED]> wrote: >> >> I started religiously running NoScript in Firefox after a colleague of >> mine figured out how to write a port scanner in Javascript. So if you >> went to his page with Javascript enabled he would able to have you >> run a scan of your internal network, as your user, with your >> permissions, regardless of firewall settings. So my answer would be >> that even if Javascript has gotten safer it doesn't mean that people >> haven't figured out clever things to do with it that you wouldn't want >> to happen. >> >> On Wed, Jul 9, 2008 at 3:53 PM, Allen Brown <[EMAIL PROTECTED]> wrote: >> > I am moderately paranoid about allowing web sites run javascript >> > in my browser. (I use NoScript in Firefox.) Basically I only >> > enable it if I know the owner of the site or trust them because >> > of who they are. Examples: personal friends or banks. >> > >> > Am I being unnecessarily paranoid? Has Javascript gotten good >> > enough that I can let my guard down? How do you all handle this? >> > -- >> > Allen Brown abrown at peak.org >> > http://brown.armoredpenguin.com/~abrown/ >> > Criticism may not be agreeable, but it is necessary. It fulfils >> > the same function as pain in the human body. It calls attention >> > to an unhealthy state of things. --- Sir Winston Churchill >> > _______________________________________________ >> > EUGLUG mailing list >> > [email protected] >> > http://www.euglug.org/mailman/listinfo/euglug >> > >> _______________________________________________ >> EUGLUG mailing list >> [email protected] >> http://www.euglug.org/mailman/listinfo/euglug > > > _______________________________________________ > EUGLUG mailing list > [email protected] > http://www.euglug.org/mailman/listinfo/euglug > > _______________________________________________ EUGLUG mailing list [email protected] http://www.euglug.org/mailman/listinfo/euglug
