Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: Gator installer Plugin allows any software to be installed
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Fri, 22 Feb 2002 11:01:44 -0500

Hi, 

Good catch!  It turns out that I asked Gator 2 years ago about potential
security problems in the Gator download system.  See the attached
message.  According to my archives, I never got a reply.

Richard M. Smith
http://www.ComputerBytesMan.com

-----Original Message-----
From: Richard M. Smith 
Sent: Monday, January 17, 2000 5:17 PM
To: mark () gator com; tony () gator com; mpennell () YAHOO COM
Cc: Richard M. Smith
Subject: A few technical questions about the Gator plugin for IE


Hi Tony Martin and Mark Pennell,
 
I have a few technical questions about the Gator plugin for
Internet Explorer:
 
1.  Are there any security mechanisms built into the Gator
ActiveX control to prevent a hacker from using the control
on their own Web page to download and execute malicous
code?  It appears to me from Gator installation page that
the location of the Setup Bundle file is settable using the 
"server" and "rootdir" parameters.
 
2. What file format does a Setup Bundle file use?
 
3. How come ever transmission from my computer to
the eguard.com server includes a GUID serial number?  
Example:
 
GET /Cmd/Client_GetSite;wired.com HTTP/1.0
Accept: */*
User-Agent: 5D3D6420CCF311D3A67F002078900337
Script-Version: 0.2
Product-Version: 1.1.1.1
Host: scriptserver.eguard.com
 
I assume that this number is unique id number which
identifies me.  It seems to contain my Ethernet 
adapter address (002078900337).
 
4. Is this GUID serial number associated with my registration
information?
 
Thanks,
Richard


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]