This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. In addition, it also allows you to apply some effects and basic editing functions to your images, and includes some extra tools designed to make your experience as rich as possible, so that this program goes far beyond simple image viewing. This is a privilege elevation attack targeted at zone-based web-browser security. FastStone MaxView is a simple but full-featured image viewer that allows you to enjoy your image files and photos in full detail. An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets.
0 kommentar(er)
