翻訳と辞書
Words near each other
・ GIFA Best Music Director Award
・ GIFA Best Screenplay Award
・ GIFA Best Story Award
・ GIFA Best Supporting Actor Award
・ GIFA Best Supporting Actress Award
・ GIFA Best Villain Award
・ GIFA Critics Best Actor Award
・ GIFA Critics Best Actress Award
・ GIFA Most Searched Female Actor on Internet
・ GIFA Most Searched Male Actor on Internet
・ Gifa Palermo
・ Gifan
・ Gifan Rural District
・ Gifan-e Bala
・ Gifan-e Pain
Gifar
・ GIFAS
・ GifBoom
・ GIFBuilder
・ Giferspitz
・ Giff Johnson
・ Giff Roux
・ Giff Smith
・ Giff Vivian
・ Giff Zimmerman
・ Giffard
・ Giffard Cove
・ Giffard dirigible
・ Giffard Le Quesne Martel
・ Giffaumont-Champaubert


Dictionary Lists
翻訳と辞書 辞書検索 [ 開発暫定版 ]
スポンサード リンク

Gifar : ウィキペディア英語版
Gifar

Graphics Interchange Format Java Archives (GIFAR) is malware that allows an attacker to piggyback off the victim’s HTTP cookies. A GIFAR is a photo that can "borrow" a victim's online credentials, possibly taking over the web user's session.
GIFAR is a Graphics Interchange Format (GIF) image file combined with a JAR file. Altered GIF files can be uploaded to Web sites that allow image hosting, and run code that works inside that site.
In this attack, GIF Java archive files (GIFARs) run code through anyone viewing (opening) such a file. This method gets around the browser-imposed "same-origin policy" to bypass the usual content validation. Attackers reference this malicious image in the applet code on the hosted site, establishing cross-domain communication with the target domain. The GIFAR exploit has been demonstrated as an effective attack against Web applications such as Facebook.
This technique works because GIF images (along with other file type combinations that host a general class of vulnerabilities such as .doc, .jpg, etc.) store their header in the beginning of the file, and JAR (ZIP) files store their data in the end.
GIFAR is not executable code that gets run when you view an image. For the attack to work, the victim must be logged into the Web site that is hosting the image. Any site that includes login sessions with user-uploaded pictures can be vulnerable.
==SUN and the JRE==

In GIFARs, the Java VM recognizes the JAR part which is run as an applet in the victim's browser as though it were written by the Web site's developers.
Though Sun has patched the Java vulnerability (in advisory #244988 (as of versions JDK and JRE 6 Update 11 (December 2, 2008), JDK and JRE 5.0 Update 17, and SDK and JRE 1.4.2_19)., because some users run installed versions of Java pre-dating the JRE patch, this issue needs to be addressed as an issue of browser security. Sun's patch does not, however, stop applications from taking ownership of user-supplied content.
From Sun; “...applets are not allowed to open network connections to any computer, except for the host that provided the .class files.” One is capable of uploading a GIFAR to a site as they will validate as images you can include an embed pointing to that GIFAR in another page (hosted anywhere) and make people stumble onto it. It will be allowed to make any network connections it wants to that site in their name. With the applet running, the hacker(s) can access the victim's account(s).
If the application is able to restrict the upload of malicious files, it solves the problem without worrying about which version of JRE the client is running. When a Web app chooses to take ownership of a user-controlled file, serving it from their domain, it weakens the integrity of the domain.
The impact of these attacks could also be minimized if Web applications that took user-controlled files served those files from a “throw away” domain.

抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)
ウィキペディアで「Gifar」の詳細全文を読む



スポンサード リンク
翻訳と辞書 : 翻訳のためのインターネットリソース

Copyright(C) kotoba.ne.jp 1997-2016. All Rights Reserved.