MozillaZine

Mozilla Privacy Bug

Saturday September 14th, 2002

Yesterday, ZDNet UK News reported that Mozilla has a privacy flaw involving HTTP referers. The flaw can be exploited using the onUnload JavaScript handler, which is triggered when a visitor leaves a page (for example, by clicking a link or using a bookmark). The problem is that the referer Mozilla sends is the URL of the page that the visitor is going to, not the page that he or she is exiting. This means that a site can discover where you are heading when you leave.

The security bug is present in the latest versions of Mozilla (including 1.0.1, 1.1 and 1.2 Alpha) as well as some Mozilla-based browsers, such as Netscape 6.x, Netscape 7.0, Galeon 1.2.x and Chimera 0.5. At the time of writing, no fix is available. A workaround is to disable JavaScript (Edit > Preferences > Advanced > Scripts & Plugins).

A demonstration of the exploit has been created by security researcher Sven Neuhaus, who posted details of the vulnerability to Bugtraq on Wednesday.

The bug was filed in Bugzilla as bug 145579 on Sunday 19th May, with the more serious onUnload behaviour found on Friday 7th June. The report is currently marked as "Security-Sensitive" and access to it is restricted in line with the Mozilla Security Bugs Policy.

UPDATE! Bug 145579 has now been made public.

ANOTHER UPDATE! A fix has been checked in to the trunk. A patch for the 1.0 branch will follow shortly.

YET ANOTHER UPDATE! A patch has now been checked in to the 1.0 branch.


#1 Not good, but . . .

by DJGM2002

Saturday September 14th, 2002 1:54 PM

Reply to this message

IMO, as far as security/privacy vulnerabilities go, this one is fairly minor. Ideally, the only users of Mozilla based browsers affected by this bug that need to be worried about it, are those that would generally visit site with questionable or illegal content, like porn, warez, pirated music files, paedophilia . . . etc. If, like most people, you don't visit any such sites when using a Mozilla based browser affected by this flaw, you have very little to worry about. I imagine this will likely be patched in a forthcoming Mozilla nightly, and perhaps Chimera will step up to version to 0.5.1 or 0.6. As for Netscape, I'm not so sure. Would they really offer a v7.01 revision of their recent major release, or shrug it off until the next big release. Ideally, as this as come to light so soon after Netscape has released their new v7.0 browser, then as soon as there a fix for this bug, Netscape ought to make available to their users as an XPI that can be applied directly, rather than forcing users to re-download a complete new version of the entire browser package.

#2 Re: Not good, but . . .

by D00msday

Saturday September 14th, 2002 2:04 PM

Reply to this message

Yeah right, most people don't visit porn, warez site and site with pirated music files... I think you don't know the regular internet user.

Cya I'm heading to <<http://www.warez.maitresse.net/free-porn/mp3.htm>>

#3 Re: Not good, but . . .

by D00msday

Saturday September 14th, 2002 2:05 PM

Reply to this message

#15 Not good but? Stupid Stupid Rat Creature!

by refactored

Sunday September 15th, 2002 8:46 PM

Reply to this message

Think of more imaginative pairs than just nice guy site followed by naughty site.

Nasty authoritarian government spook site followed by libertarian site. (Yes, in the wrong time and place that can get you killed in the very dead sort of way.)

Nasty commercial site followed by online banking bookmark.

Any site followed by something with username / password in URL.

Competitor site followed by internal site.

Any place with doubleclick followed by any place.

#14 Little to worry about?

by untoward

Sunday September 15th, 2002 3:37 PM

Reply to this message

I think it's closed-minded to believe that privacy is only important to criminals and deviants.

#25 Re: Not good, but . . .

by Tanyel <tanyel@straightblack.com>

Monday September 16th, 2002 9:55 AM

Reply to this message

I think, if it happened to Internet Explorer, you would have said this is the worst bug ever.

#67 Mozilla Privacy...

by cjet

Tuesday October 15th, 2002 8:04 AM

Reply to this message

Unfortunately, a major credit card authorization company validates the referrer field prior to authorizing a transaction. I know this is unreliable because the referrer field can be easily manipulated. However, some of my customers are getting white screens with an error message "invalid referrer" because of this bug.

#4 What's the point in restricting access to the bug?

by nick <nick@reloco.com.ar>

Saturday September 14th, 2002 2:32 PM

Reply to this message

What's the point in restricting access to the bug after it has been featured in MozillaZine's front page? =)

#9 Re: What's the point in restricting access to the

by AlexBishop <alex@mozillazine.org>

Saturday September 14th, 2002 3:55 PM

Reply to this message

It's no longer restricted.

Alex

#5 A solution for this problem.

by MadMaverick9

Saturday September 14th, 2002 2:58 PM

Reply to this message

Just add the following to user.js:

user_pref("capability.policy.default.Window.onunload", "noAccess");

There's no need to disable all JavaScript.

I hope somebody from the Mozilla developer community can verify this solution. Thanks.

#6 A solution for this problem.

by MadMaverick9

Saturday September 14th, 2002 3:02 PM

Reply to this message

Just add the following to user.js:

user_pref("capability.policy.default.Window.onunload", "noAccess");

There's no need to disable all JavaScript.

I hope somebody from the Mozilla developer community can verify this solution. Thanks.

#7 Not very good response...

by gfk

Saturday September 14th, 2002 3:05 PM

Reply to this message

Hey, this bug as been posted on 2002-05-19 and no fix is available, this is pretty lame. I guess Sven Neuhaus should have only waited something like 1 week before making this public, the security moz guys don't seem to care if it's not public... 8(

#8 Mozilla Privacy Bug

by kristen

Saturday September 14th, 2002 3:25 PM

Reply to this message

BWAHAHAHAHAHAHAHAHAHA!

#10 Re: Mozilla Privacy Bug

by itomkins

Saturday September 14th, 2002 8:57 PM

Reply to this message

Perhaps you would care to take your pointless cackling somewhere else.

#13 if you're are gonna laugh, laugh at ie

by joschi

Sunday September 15th, 2002 2:37 PM

Reply to this message

Internet Explorer currently has *19* known, unpatched security violations:

<http://www.pivx.com/larholm/unpatched/>

#11 Four months and still no fix ?

by Salsaman

Sunday September 15th, 2002 6:44 AM

Reply to this message

What the hell are the developers thinking ? This is bad, very bad.

#12 Maybe

by ecarlson

Sunday September 15th, 2002 1:36 PM

Reply to this message

Maybe the developers didn't want people to know about the bug so they could exploit the bug themselves. :-) You could gain some usefull marketing info with this bug.

I wonder what other known, but hidden bugs are out there that could be put to use.

- Eric, <http://www.InvisibleRobot.com/>

#26 Re: Maybe

by Tanyel <tanyel@straightblack.com>

Monday September 16th, 2002 9:59 AM

Reply to this message

"...You could gain some usefull marketing info with this bug."

Maybe that is why it was put there.

#16 Bad policy strikes again

by jwb

Sunday September 15th, 2002 9:07 PM

Reply to this message

Go ahead and flame me again Asa, but the security bug policy is shown AGAIN to be bad and unworkable. The policy of restricting access to security bugs keeps people from knowing about a problem, without promoting a timely fix. In the case of bug 145579, the restriction was used as a whitewash. The bug was reported, the access was restrict, and we got TWO major releases (1.0 and 1.1) without a fix.

The only thing that got us a fix in this case was Bugtraq lighting fires under asses. This is exactly the behavior that I expect from some useless software megacorps, but not from the shining flag-bearer of open development.

Finally, I want to say that is is *immoral* to know about security flaws in software without reporting them to your users. It is doubly bad to intentionally hide the problem without making an effort toward fixing it for over four months.

#17 Re: Bad policy strikes again

by sproctor

Sunday September 15th, 2002 9:37 PM

Reply to this message

I very much agree. Just seems like utter paranoia to me. Perhaps you don't want to go broadcasting everywhere that you have security problems, but I think it's far worse to try to stifle the knowledge of known problems. People will use Mozilla with or without the security problems. Making them public, I would think, would only allow people to help work on or diagnose them who wouldn't be able to otherwise, or allow people to take precautions to prevent falling victim to these bugs. Look at IE, there's plenty of problems with it. I think we're only better off for knowing them.

#21 Agreeed

by mikebell90

Monday September 16th, 2002 1:46 AM

Reply to this message

In some cases where there is a) no good workaround b) substantial work is being done to fix the problem

one can allow a little wiggle room. Unfair for us to judge b) without more comments, but as a) existed this smply should have been documented. It never should have been security-restricted, once quite good workarounds were available.

#24 Re: Bad policy strikes again

by asa <asa@mozilla.org>

Monday September 16th, 2002 8:32 AM

Reply to this message

Don't like it? Go start your own project and put in place whatever security policy you like.

--Asa

#28 Re: Re: Bad policy strikes again

by Tanyel <tanyel@straightblack.com>

Monday September 16th, 2002 10:02 AM

Reply to this message

Do you think telling the people, you don't like, to leave will make your browser better? I think it could only result in a group of people that is unaware or in denial of problems with your software. I suppose that is the average Mozilla user though.

#41 Re: Re: Re: Bad policy strikes again

by shin

Tuesday September 17th, 2002 6:55 AM

Reply to this message

I doubt this is what Asa is saying. What he means, and what I would have replied to the same arguments, is more like "try having such a project and still fix things in a timely manner, while exposing your security problems to the public". Exposing security bugs to the public right away isn't the right solution when a fix isn't provided at the same time. Now if Joe-commenter who doesn't work on such a project wants to start a project and see the conseqencies of making your security bugs public, he can try and see how it feels.

#46 Re: Re: Re: Re: Bad policy strikes again

by rdebay

Tuesday September 17th, 2002 11:48 AM

Reply to this message

There public should be informed of the problem as soon as possible. Just don't post the exploit until after the fix is made available. In this case users could have been told that in some cases a web site is notified when you leave it about what site you are going to, and that the original web site requires (not strictly true) malicious code to do this. A link to the bug would then give full details once it is made public.

#39 re: Re: Bad policy strikes again

by GAThrawn

Tuesday September 17th, 2002 3:38 AM

Reply to this message

Is there any way within the Bugzilla software that requests to view restricted bugs can either be set to display a different page, or redirect to anther page.

That way users could be told the bug is restricted, given a link to the security policy so they can understand why they're being restricted, and more importantly any known workarounds could be listed without exposing the full details of the bug to the general public.

#44 Re: Bad policy strikes again

by jcf76 <jfleshman@hotmail.com>

Tuesday September 17th, 2002 10:29 AM

Reply to this message

Given what little I know about Bugzilla, I don't think it would be a problem to add a link to the security policy page. (The question then becomes, will anyone read it anyway?) But I'm pretty sure bug comments are an all-or-nothing deal, unless there was a pretty sizable overhaul of the database. Not to say it isn't a good idea, I just don't think it's a high enough priority for someone to implement it.

#58 Re: Re: Bad policy strikes again

by sproctor

Thursday September 19th, 2002 4:31 AM

Reply to this message

that seems like quite the absurd argument, Asa. Is there not allowed to criticism of policies? The Konqueror folks have gone off and started their own project, from here it just seems like a lot of duplicated effort. I guess what I'm trying to say that ignoring, adopting or refuting criticism seems within the realm of rationality, but responding with merely smart remarks seems more out of contempt or frustration than productive an effort to productive dialog. Who am I to judge?

#18 Re: Bad policy strikes again

by kristen

Sunday September 15th, 2002 10:34 PM

Reply to this message

A lot of it simply has to do with all of the spouting off that many of those within the inner recesses of the Mozilla circle have done over the past several years. Boasting and bragging about the security of Mozilla (an unfinished and hardly used product during the whole time) in concert with the bashing of vulnerabilities reported in IE: A product with extremely heavy usage that is close under the microscope by all sorts of individuals and groups (good and evil).

Between Mozilla 1.0 and Mozilla 1.0.1 there were 25 security holes discovered (by the mozilla community alone) and now this: An issue known now for quite some time.

So, in a way you can't blame them for being so hush hush. Most are relatively young and don't know any better. Of course, they'll try to come up with excuses and rationalizations like they always do (or try to I should say).

If I were them, I'd be feeling pretty embarassed and stupid, too, to say the very least.

#19 ie has *19* unpatched, known secuirty errors

by joschi

Sunday September 15th, 2002 11:48 PM

Reply to this message

mozilla has an excellent track record in dealing with security flaws, often fixing them in a matter of hours, not monthes like microsoft.

<http://www.pivx.com/larholm/unpatched/>

#27 Re: ie has *19* unpatched, known secuirty errors

by Tanyel <tanyel@straightblack.com>

Monday September 16th, 2002 10:00 AM

Reply to this message

Do you think attacking Internet Explorer makes Mozilla better?

#30 pick the better option

by joschi

Monday September 16th, 2002 11:23 AM

Reply to this message

quality is a relative measure, so pick the product with a BETTER track record. of course i want mozilla to improve and get rid of any problems which it obviously has, but lets keep things in perspective, its miles ahead of ie on the security front.

#31 Re: pick the better option

by kristen

Monday September 16th, 2002 12:02 PM

Reply to this message

"quality is a relative measure, so pick the product with a BETTER track record."

Better track record you say? Mozilla has no track record.

#32 Track Record

by amutch

Monday September 16th, 2002 12:24 PM

Reply to this message

Kristen,

Mozilla releases have been available for several years now. You can ignore that reality if you choose to. As I noted in my other post, I can document the differences between Mozilla and IE security and Mozilla wins hands-down. Why are you unable to provide any real-world examples?

#33 Re: Track Record

by kristen

Monday September 16th, 2002 12:30 PM

Reply to this message

"Mozilla releases have been available for several years now."

That's right, and their usage has been bordering on the infitisimal. Mozilla has no track record, period.

#34 Track Record

by amutch

Monday September 16th, 2002 1:46 PM

Reply to this message

Kristen,

All you're showing is that you don't know what you are talking about. I have a Mozilla-based browser running on Public computers here at work that I've run for a year-and-a-half of constant use. In all that time, I've never had a security problem with this browser. In contrast, thanks to IE's numerous security holes and integration into the OS, I have had constant problems with IE. Yes, we keep IE and Windows patched with the latest updates, we use Windows policies and third-party software to keep things locked down but IE is still a source of troubles. That's called real-world experience and IE is a security headache. Care to share your experiences with Mozilla and IE since you seem to be passing yourself off as an expert?

#38 Re: Track Record

by kristen

Monday September 16th, 2002 10:37 PM

Reply to this message

"I have a Mozilla-based browser running on Public computers here at work that I've run for a year-and-a-half of constant use."

Wow, what a track record. I could just as easily say the same thing with regards to IE, except I've been using it for much longer than 1 1/2 years.

"In all that time, I've never had a security problem with this browser."

Where the hell is your head? No kidding! I wouldn't expect a browser with such miniscule usage status to be the target of any evil freak that druels over the thought of creating headaches for the masses.

"Care to share your experiences with Mozilla and IE since you seem to be passing yourself off as an expert?"

I just did earlier. I'm no expert, I'm just a user, and so far you have done a lousy job of convincing me that Mozilla has any sort of track record worth boasting about.

#40 Re: Re: Track Record

by Dobbins

Tuesday September 17th, 2002 3:59 AM

Reply to this message

"I just did earlier. I'm no expert, I'm just a user, and so far you have done a lousy job of convincing me that Mozilla has any sort of track record worth boasting about."

Fine, lack of a "track record" is better than having a horrible track record. IE's track record includes dozens of security bugs each year, including major ones like buffer overflows that could allow someone to gain admin access to your PC or to run executionables without your knowlege. It also has the track record of being illegally bundeled with the OS for Monopolistic reasons. Outlook (since Mail is part of Mozilla) has a track record of being a virus petri dish that was the reason that "Melissia", "I Love You" and other viruses that cost millions of dollars.

#45 Re: Re: Re: Track Record

by egoots

Tuesday September 17th, 2002 10:53 AM

Reply to this message

Kristen has a valid point that you are missing. Mozilla does have a relatively minimal track record. It is used by a small percentage of people browsing. It is very a young and rapidly changing product. Given that, how many of the security scrutineers (black hat or white hat) have put their resources towards examining it? How many of the crackers have tried to exploit it? Someone said they used it for 1 1/2 years (I have used it longer myself) and have experienced no exploits. How would you know if you had? This current security issue only tells the site you are going to, what was the last site you visited. We are all aware of IE's and Microsoft's history. That is not at debate. The point being made is that the secureness (is that a word?) of Mozilla is unproven as of yet. That will come. We hope that the Mozilla development community is working on this as a high priority. Time will tell how well they do.

#52 Re: Re: Re: Re: Track Record

by mikebell90

Wednesday September 18th, 2002 12:03 AM

Reply to this message

Right. People tend to ignore this. Let's say Mozilla has 1% of the browser share. Nah let's say 5% although that's pushing excuses.

That means 20x the people are using IE. While that doesn't mean one expects 20x the bugs, one expects these to be exposed/discovered/exploited on a much higher basis.

#54 Re: Re: Re: Re: Re: Track Record

by Dobbins

Wednesday September 18th, 2002 9:07 AM

Reply to this message

You don't understand the "Black hat" mentality. The number of users dosen't matter. Putting the exploit to use dosen't matter. The "fame", the admiration of other hackers is all that matters.

Finding yet another hole in MEIE is old hat. Finding an exploit in Mozilla is new territory. It will bring more recognition among other hackers than finding yet another exploit in MSIE. It's worth more in the hacker community.

The real problems start after the "black hat" feeds his ego by releasing the exploit on a hacker site. That is when the "script kiddies" pick it up and start using the exploit.

So far the "black hats" have scored ZERO exploits in Mozilla. That makes it a very tempting target. Being the first "black hat" to find a hole in Mozilla will gain a lot of recognition among hackers.

#57 Real World

by amutch

Wednesday September 18th, 2002 12:19 PM

Reply to this message

egoots,

My comments are based on real-world experience, not one someone is speculating about sitting at their computer. I've seen IE and Mozilla-based browsers run under the same conditions. The Mozilla-based browser can be completely locked down and I've never seen it exploited. IE, on the other hand, is inherently insecure and is exploited regularly by security hacks that Mozilla safely ignores.

#42 Re: Re: Track Record

by shin

Tuesday September 17th, 2002 7:04 AM

Reply to this message

> Where the hell is your head? No kidding! I wouldn't expect a browser with > such miniscule usage status to be the target of any evil freak that druels > over the thought of creating headaches for the masses.

You don't need to be an evil freak to wreak havoc in Mozilla: the source is open, so you can find security holes easily if there are any.

It's surprising how many opensource projects, whose source is available for all the evil hackers to see, are often more secure than closed-source projects... But I guess you're going to tell us opensource projects don't have a track record. Funny, funny.

#56 Track Record

by amutch

Wednesday September 18th, 2002 12:15 PM

Reply to this message

"Wow, what a track record. I could just as easily say the same thing with regards to IE, except I've been using it for much longer than 1 1/2 years."

Actually, that is quite a track record. It doesn't have anything to do with time, it has to do with use. These PCs are used by thousands of users per year. You may have been using IE for longer than 1.5 years but you haven't been using the same version, I bet. Comparing your use since you used IE 3 to using IE 6 (or whatever version you are using) doesn't provide much useful information for a comparison.

"Where the hell is your head? No kidding! I wouldn't expect a browser with such miniscule usage status to be the target of any evil freak that druels over the thought of creating headaches for the masses."

Sorry - you're just plain wrong. If software can be exploited, it will be exploited. It has nothing to do with how many people use it every day. I've seen people try to hack the Mozilla-based browser without success. I've seen sites try to exploit the Mozilla-based browser without success. On the other hand, IE regularly allows sites to do all kinds of things that no good browser should allow.

"I just did earlier. I'm no expert, I'm just a user, and so far you have done a lousy job of convincing me that Mozilla has any sort of track record worth boasting about."

Maybe you should work in the real world with actual browsers in actual use. Then you can tell me about real-world comparisons, not what you think based on only your experience.

#61 Re: Track Record

by kristen

Thursday September 19th, 2002 5:28 AM

Reply to this message

"Actually, that is quite a track record."

It is quite a track record alright. Quite a meaningless and irrelevant one. If you regard you and your 'thousands of users' web browsing in a < 1% browser in an IE world without recourse as any sort of proof that the browser itself is secure, then you better guess again. Your entire logic behind that is broken and flawed. Which brings me to a question. A question that some of the fine folks here at Mozillazine often like to throw in the face of an IE user. A question that I am going to love to ask right now. How do you know you were never compromised? Of the thousands of Mozilla users of whoms web browsing you have intimate knowledge of, how do any of them know? Just between Mozilla 1.0 and 1.0.1 there were 25+ security fixes. How do you know that no one has succumbed to any of those? Those were rhetorical questions, of course. The fact is that you don't know.

"Sorry - you're just plain wrong. If software can be exploited, it will be exploited."

I'm going to give you the opportunity to think about what you just said before I rip it to pieces. Take a few deep breaths.... and think for a moment. Think hard if you have to.

"Maybe you should work in the real world with actual browsers in actual use. Then you can tell me about real-world comparisons, not what you think based on only your experience."

This really applies to you more than anyone else. While I don't claim to have personally interviewed ten million web surfers or examined the sourced code to 2 billion web pages, between work and personal life, my experience is quite firmly grounded in the real world. In fact, I believe it is the other way around in regards to what you said. I think it is you who needs to get out in the real world. I think it is you who needs to get out in the real world because when I see someone, anyone, speaking on the behalf of experiences from thousands of users, hackers, etc... I know they are about as full of poop as a christmas goose.

#35 Re: Re: pick the better option

by joschi

Monday September 16th, 2002 3:24 PM

Reply to this message

95% of major sites support gecko. every major web coding community/web site has extensive articles on gecko development. hundreds of thousands to millions of users use gecko. lots of security and privacy expert are busily pouring over gecko and its derived browsers, and have found a few problems, but nothing even remotely compared to those found constantly in IE. mozilla has a terrific and extensive track record. you are making rash statements that go against all available the facts. in other words, you are either very ignorant and biased, or a troll.

#47 Re: Re: Re: pick the better option

by SubtleRebel <mark@ky.net>

Tuesday September 17th, 2002 12:20 PM

Reply to this message

"you are making rash statements that go against all available the facts. in other words, you are either very ignorant and biased, or a troll."

You forgot to include the choice of "All of the above."

#49 Re: Re: Re: pick the better option

by kristen

Tuesday September 17th, 2002 2:42 PM

Reply to this message

"mozilla has a terrific and extensive track record."

I have to wonder now, are you really that ignorant and out of touch with reality or are you just pretending?

#50 its already fixed

by joschi

Tuesday September 17th, 2002 6:34 PM

Reply to this message

mozilla proves yet again how well and promptly they deals with security flaws... shall we take a look and see how much change there is over in ie land?

<http://www.pivx.com/larholm/unpatched/>

oh... that's too bad, still *19* unpatched, known security holes, nice track record.

As for you? the more your write, the more of a track record of your blinding ignorance you leave for us, thanks!

#51 Re: its already fixed

by kristen

Tuesday September 17th, 2002 6:53 PM

Reply to this message

That's funny. NS7, Galeon, KMeleon, etc... still seem to suffer from this. In fact, anything based on 1.0 has 25+ exploits. Have the security geniuses at mozilla.org installed your new update system that instantly delivers patches to the trunk to all of the mozilla users systems? As well as the products based on gecko?

What puzzles me is why were any of these exploits found to begin with when for years you and others have been touting how secure Mozilla is? 25 discovered internally between 1.0 and 1.01 alone? That's only a few months time!!!

"Designed bottom up with security as top priority" was the big rant for quite a while. Reality is biting you in the ass and this is just the tip of the iceberg if Mozilla's usage share increases enough for any of the evil doers to give a flying rip about it.

#36 Re: pick the better option

by Tanyel <tanyel@straightblack.com>

Monday September 16th, 2002 4:03 PM

Reply to this message

"quality is a relative measure, so pick the product with a BETTER track record."

Does this mean we should all use Opera?

#37 Re: Re: pick the better option

by joschi

Monday September 16th, 2002 5:50 PM

Reply to this message

sure, if you think its a better product, please go use it.

#20 Security flaws

by amutch

Monday September 16th, 2002 1:29 AM

Reply to this message

Kristen,

I use Mozilla and Mozilla-based browsers almost exclusively and have never been struck by security flaws in any of them. I also support a Mozilla-based browser at work for public access computers and I have NEVER had a security problem with it in 1.5 years of use. On the other hand, I also have to support Internet Explorer at work and I am constantly having to fend off the security holes in IE. Things have settled down a bit with Windows 2000 versus Windows 98, which was a security nightmare, but I still have to download and install "critical" patches on a weekly basis with IE. That's real-world experience. Maybe you can share your experiences that would convince me to abandon Mozilla for IE's bugginess.

#22 Minor issue

by borggraefe

Monday September 16th, 2002 4:31 AM

Reply to this message

I don't think this bug is this severe. Isn't just the same information submitted as with the standard referrer-header? It's just the opposite direction. Instead the referrer is the page you were coming from it is the page you are going to when this bug strikes.

Stefan

#29 Re: Profile question

by jcf76 <jfleshman@hotmail.com>

Monday September 16th, 2002 10:49 AM

Reply to this message

Not entirely. HTTP_REFERER is only sent when a link is clicked on (and, in some browsers, if you say it's OK). So if you go to yourfavoritepornsite.com and then click the bookmark for your employer's site, they won't find out about you. This bug, however, seems to occur regardless of how you leave the page.

#23 Is There Another Security Bug?

by Dobbins

Monday September 16th, 2002 8:08 AM

Reply to this message

Bug 145579 is one of two bugs that Bug 168066 (Make 1.2 Beta not suck) depends on. The other is Bug 163648 which has restricted access.

#43 Re: Is There Another Security Bug?

by jesse <jruderman@hmc.edu>

Tuesday September 17th, 2002 8:35 AM

Reply to this message

Yes, 163648 is security-related.

#48 Fix is in

by ksosez <ksosez@softhome.net>

Tuesday September 17th, 2002 1:20 PM

Reply to this message

Fix just went in

#53 Re: Fix is in

by romax

Wednesday September 18th, 2002 5:45 AM

Reply to this message

This is a perfect example of the advantages that open source has over other competing development models. Did you ever hear of a Microsoft bug that was fixed at the same pace after it wen't public as we've seen here?

I haven't anyway.

#55 Re: Fix is in

by Salsaman

Wednesday September 18th, 2002 9:40 AM

Reply to this message

Well, it's very good that they have fixed it. However, if the developers had fixed it as soon as it was reported, they would have saved themselves a lot of embarrasment. Now as it stands there are a lot of unpatched browsers still out there, and mozilla's image has been tarnished. Don't get me wrong, I love using mozilla, and I'm sure there are good reasons why it took four months to patch. But at the very least, the mozilla team should be reviewing their procedures for fixing security bugs to make sure something like this doesn't happen again.

#59 Fix is out, but how do you implement it?

by DeepFreeze3

Thursday September 19th, 2002 5:23 AM

Reply to this message

Somebody posted a response to an article about this bug on ZDNet's web site. Here's a copy of it (Apparently, the guy was ticked off?):

***********

Firstly, the article does a pathetic job of explaining the bug in the first place.

Secondly, it includes the single most draconian fix imaginable - sorry, folks, but disabling JavaScript is not an acceptable workaround.

Thirdly, nobody posted the one-line fix you can add to your user.js file:

user_pref("capability.policy.default.Window.onunload", "noAccess");

It's all in the Bugzilla report - which, again, nobody bothered to mention:

- <http://bugzilla.mozilla.org/show_bug.cgi?id=145579>

Do I have to do everything around here?

***********

Now here's what I want to know:

1) Where's the user.js file?

2) How do you add the one-line fix to the user.js file? Does it involve using NotePad of WordPad? Or do you have to use something else?

#60 Fix is out, but how do you implement it? (PT. 2)

by DeepFreeze3

Thursday September 19th, 2002 5:27 AM

Reply to this message

Here's the link to the actual post on ZDNet, if anybody wants to see it for themselves:

<http://forums.com.com/gro…t.com.com&NODEID=1105>

#66 Re: Fix is out, but how do you implement it? (PT.

by MadMaverick9

Friday September 20th, 2002 12:53 PM

Reply to this message

And yes - if u don't read what was posted in this forum before, u have to do everything urself. :-)

#62 re: Fix is out, but how do you implement it?

by GAThrawn

Thursday September 19th, 2002 10:30 AM

Reply to this message

First of all the user.js file is stored in your profile directory.

Depending which version of Windows you're using this could be in a variety of places (I'm assuming you're using Windows):

Win95/98/Me your profile will be in either: C:\windows\profiles\[your ID]\Application Data\Mozilla\Profiles\[Your profile name, or default]\[random number].slt\ Or: C:\windows\Application Data\Mozilla\Profiles\[Your profile name, or default]\[random number].slt\

WinNT4: C:\winnt\profiles\[your ID]\Application Data\Mozilla\Profiles\[Your profile name, or default]\[random number].slt\

Win2000/WinXP: C:\Documents and Settings\[your ID]\Application Data\Mozilla\Profiles\[Your profile name, or default]\[random number].slt\

The bits in the square brackets ([]) will vary from PC to PC.

You can open the user.js file in Windows Notepad (make sure to close Mozilla first, including Quicklaunch if you use it). Then at the end of the file, on a blank line paste:

user_pref("capability.policy.default.Window.onunload", "noAccess");

Then save the file and restart Mozilla, and that particular JavaScript method will be safely disabled.

#63 Is "prefs" the JScript Script File?

by DeepFreeze3

Thursday September 19th, 2002 1:05 PM

Reply to this message

I have Windows Me, and came up with this:

C:\WINDOWS\Application Data\Mozilla\Profiles\default\jsofl9dp.slt

In there, I found something called a JScript Script File named "prefs". Is this the user.js file that everybody is talking about? If it is, would anybody know how to back this file up? (Better to be safe then sorry.)

#64 Yes, that's the file.

by nstenz

Friday September 20th, 2002 9:02 AM

Reply to this message

To back it up, just make a copy of it with a different name. If you break something in Mozilla, you can delete your broken PREFS.JS and rename the good backup you made to the original name.

#65 Re: Fix is out, but how do you implement it?

by MadMaverick9

Friday September 20th, 2002 12:18 PM

Reply to this message

I posted that solution the day this problem with published on MozillaZine.

Look at my posting:

A solution for this problem. submitted by MadMaverick9 Saturday September 14th, 2002 04:58:19 PM

You will need to create the user.js file. It will be merged into the prefs.js file. <http://www.mozilla.org/st…/1.0/faq/general.html#1.5>