Wouldn't installing malicious plugins involve either putting malicious
code into a repository (which seems like a good way to get caught though
not a certainty) or having write access to the appropriate directories
on the target computer?
You can set up a repository on any web server of your liking, then add
it to the repo section, done. And it has been done. It's actually what
caught my attention LMS installations being "hacked": the attacker
installed a modified version of my Picture Gallery plugin and configured
it to scan _all_ drives, _all_ folders. This caused crashes on some systems.
I'm curious how many malware authors are targeting HTTP on internal home
networks. Is it safe to say that relatively few people are running any
kind of server at all on their home networks?
People don't run servers. They run appliances. And many of them come
with web and other servers built in: modems & routers, printers, TV
sets, webcams...
I can't decide if this is a near-complete non-issue or if I'm somehow
missing something painfully obvious that I'll eventually regret. Are
there currently Bad Things out there in the wild that are taking
advantage of insecure home HTTP?
I think more often the bad things take advantage of broken servers.
Vulnerabilities causing unexpected behaviour given specific parameters.
But these would work whether the traffic was encrypted or not. The risk
that comes with unencrypted traffic is that somebody could spy on it -
if he already had access to your network. If that data transported
sensitive data, then the biggest risk would be to expose sensitive data.
_______________________________________________
Squeezecenter mailing list
[email protected]
http://lists.slimdevices.com/mailman/listinfo/squeezecenter
