Definitely, I agree, but I think it would be better if WSH was simply
patched, perhaps with a way to sign scripts, and non-expert users
can't give them root permissions, and that scripts should not
ever be able to send emails without a user confirmation, no matter
what permissions they have. Perhaps do the same thing with trying
to run a program or load a COM component.
My .02 :)
Gfunk - http://www.gfunk007.com/
I sense much beer in you. Beer leads to intoxication, intoxication to
hangovers, and hangovers to... suffering.
----- Original Message -----
From: "Thor M. Steindorsson" <[EMAIL PROTECTED]>
To: "Josh G" <[EMAIL PROTECTED]>
Sent: Wednesday, February 14, 2001 10:15 AM
Subject: RE: [PHP] Here you have, ;o)
> I agree with the vbs part, unfortunately windows is set by default to hide
> file extensions of known file types, meaning the person would only see the
> .jpg extension and not the .vbs. Since most computer users are not as
> computer savvy as we are, they don't know any better.
>
> As far as the WSH, I removed mine months ago, and have yet to find a
program
> or website that has a problem with it not being there. IMHO WSH is the
> biggest security threat ever released by a big computer corporation, since
> it essentially gives all scripts the same permissions the user has, and
> since 98% of windows 9x users essentially have admin permissions on their
> machines, the WSH basically gives admin access to anyone with a little bit
> of VB knowledge and a mean streak.
> I've created a couple of WSH scripts for clients, so I know how
ridiculously
> open this thing is. From an email it's possible to execute ANY program
> installed on that machine, including all windows commands (even Format C:
is
> possible).
>
> Again, I agree with most of your vbs point (I am a sysadmin and we
filtered
> out .jpg.vbs attachments months ago (along with a ton of other
> attachements), so none of our customers were affected), but unfortunately
> the problem is primarily two fold:
>
> 1. People open attachments without knowing what they are.
> 2. Windows Scripting Host is a major security breach.
>
> Of course, this is just my opinion...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
