Anzio in a web page
Bob Rasmussen
ras at anzio.com
Wed Apr 5 16:07:34 PDT 2006
On Wed, 5 Apr 2006, Fairlight wrote:
> I couldn't believe what you were saying, so I tried it myself.
>
> This app needs some security issues addressed.
Noted, with comments below.
>
> 1) You can copy the form, use 'x' sites codebase (and presumably licenses
> I'm guessing since you wouldn't want everyone using your web site to have
> to purchase their own license or have a nag screen--at the very least,
> bandwidth spent retrieving the app) to connect to places they don't intend
> on your connecting to. The destination should be hardwired into the
> configuration on the server with no possibility of retrieval from remote or
> mutability from a third party.
There is very little here that is different from having the EXE versions
of Anzio download-installable from the web. Someone could use that
software (or telnet, or PuTTY) to access any site that had an open telnet
or SSH port.
Licensing approaches have not yet been decided.
>
> 2) I was easily able to retrieve the .def file, and had there been a
> password present, I'd have direct access to a username and password for an
> account. Someone might not -want- anyone coming in except from the web
> page application. In any event, I can't think of a situation outside of
> public access systems like a library where giving out passwords is a good
> idea. The definition file should be irretrievable via the web server, and
> therefore unavailable for human consumption.
First, nothing requires the username and/or password to be included in the
DEF file. If they are not provided, the program will prompt for them just
as you would expect.
It should also be possible to password-protect the DEF file on the web
server.
Finally, it IS possible to embed various parameters in the ActiveX
object's resources.
>
> The opportunities for cross-site scripting and account theft are abundant
> as it stands right now. I'd never deploy this in production on that basis
> alone. Unless it can be locked so that none of the user credentials are
> ever obtainable, and so that the destination is immutable, it's a complete
> no-go from a security standpoint, IMHO.
Remember that not all web-based sites are accessible over the Internet.
Many intranet applications are going web-based.
The intent of this program format was to have an object that visually
resides within the web page, and over which the web page/server has some
control.
> Installation probably won't fly with Firefox. I have the ActiveX module
> installed, and every time there's been an ActiveX control to install, I've
> needed to use IE to install it, and then it works with Firefox. This was
> the case with both iVocalize and GameSpy's downloader (used with gamespy
> and direct2drive). Firefox won't do the installation bits, at least from
> what I've seen, even with the module. In this case, I used IE6 to install
> and test. Firefox still won't actually use it. Must be bound more tightly
> to the browser than the other two apps (which will actually run standalone,
> so I surmise that the whole thing is an ActiveX control, rather than -just-
> the installer). About all the Firefox ActiveX module has ever been good
> for is playing inline multimedia files, honestly, so this isn't really
> Anzio's fault. Although I'd say that going with Java would have been
> significantly more compatible. And MS continues to lose browser market
> share. Not sure ActiveX was a wise choice--anyone wanting to deploy this
> more or less will need to mandate IE. That's going to be a bigger
> detractor than it would have been one or two years back.
Thanks for the hints on Firefox.
Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.
personal e-mail: ras at anzio.com
company e-mail: rsi at anzio.com
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com
More information about the Filepro-list
mailing list