[Security] client-to-client security :: Summary and todo's
melo at simplicidade.org
Sun Aug 24 03:12:52 CDT 2008
On Aug 23, 2008, at 7:32 PM, Dirk Meyer wrote:
> Pavel Simerda wrote:
>> On Sat, 23 Aug 2008 18:21:38 +0200
>> Dirk Meyer <dmeyer at tzi.de> wrote:
>>> UPnP is a working choice, but bad. Just google for it.
>> I know what UPnP is.
> I mean: google why it is a bad choice :) See below
>>> Since it is based on HTTP attackers found a way to open ports on
>>> your router.
>> Please be more precise, this is not a useful piece of information at
> OK. UPNp uses HTTP. If an attacker knows your router IP address (in
> many cases 192.168.1.1) he can use your browser to open port
> forwarding on your router so you expose services (windows has a lot of
> services that should be closed to the outside).
An attacker with access to 192.168.1.1 is inside your network. He is
already inside with access to your services, the game is already lost.
> First link I found using google:
I'm not defending UPnP really, but this attack boils down to: you
download an application and allow said application to access your
And the author is surprised that this is a security risk? UPnP
exploits should be the least of his problems.
(I don't know much about Flash, but I though it had the same same-
described would not work)
XMPP ID: melo at simplicidade.org
More information about the Security