Mozilla Security Hole
Tuesday April 30th, 2002
Anonymous reports: "Grey Magic is reporting a minor security hole in Mozilla builds from at least 0.9.2 up to the current trunk and 1.0 branch. A bug has been filed in bugzilla, and will be opened to the public to view once the fix has been made. This also affects Netscape browsers from at least 6.1 on. There are no known uses of the vulnerability at this time." We'll let you know when a patch has been checked in for this.
On a side note, Grey Magic recommends that users "should move to a better performing, less buggy browser," on their vulnerability page. Looking at the open issues for it, IE clearly doesn't seem like the better choice.
UPDATE! A fix has been checked into the trunk, and has been approved for checkin to the 1.0 branch. Expect it to be in nightly builds for both branch and trunk starting tomorrow.
#53 I beg to differ....
Wednesday May 1st, 2002 9:13 AM
You are replying to this message
>While an exploit of this type is serious, I believe that we should keep in mind that you'd need >to know the exact file name in order to retrieve the file contents.
Well, /etc/passwd would work in a lot of cases, admittedly shadow passwords would fix some of that (still get a list of accounts to try) Some might have user readable fetchmail.conf files with isp passwords in them.
But actually putting file:/ in their demo I got a dir listing, admittedly that would involve a server trying to keep me clicking links and storing state until it reached a file (or could it use its own redirects?) but...
The worst thing about this is the attempt to hide the information once it was already known. Why isn't a warning screaming at me on the mozilla home page? Sod the fix being available, I'd have the choice to use another browser until there is one or pretend reading files is "minor"
Now I am asking whether this attitude has left me at risk before and will again? Perhaps time to stop using mozilla until someone other than netscape controls what is and isn't pulled from the bug tree?
I assume the $1000 is on it's way to the finder at last? If not then don't expect me to believe the lip service replies either.