No matter what we try, there's always one more dirtbag...

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
unixmuseum
Posts: 2783
Joined: Mon Apr 19, 2004 4:25 pm
Location: Los Angeles, CA

No matter what we try, there's always one more dirtbag...

Unread postby unixmuseum » Sat Jul 31, 2004 6:32 pm

"A vulnerability has been reported in Mozilla and Mozilla Firefox, allowing malicious websites to spoof the user interface. The problem is that Mozilla and Mozilla Firefox don't restrict websites from including arbitrary, remote XUL (XML User Interface Language) files. This can be exploited to "hijack" most of the user interface (including tool bars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees.

The Mozilla user interface is built using XUL files. A PoC (Proof of Concept) exploit for Mozilla Firefox has been published. The PoC spoofs a SSL secured PayPal website. This has been confirmed using Mozilla 1.7 for Linux, Mozilla Firefox 0.9.1 for Linux, Mozilla 1.7.1 for Windows and Mozilla Firefox 0.9.2 for Windows. Prior versions may also be affected."

Mozilla bug# 244965
http://bugzilla.mozilla.org/show_bug.cgi?id=244965

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8040
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Fri Aug 06, 2004 2:50 am

Just an FYI that foetz has since uploaded Firefox 0.9.3 which addresses this bug.
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
Hakimoto
Moderator
Moderator
Posts: 2483
Joined: Sun Mar 30, 2003 4:29 am
Location: Kabul, Afghanistan, Asia
Contact:

Unread postby Hakimoto » Fri Aug 06, 2004 3:37 am

Hip hip hooray for foetz!

User avatar
Hakimoto
Moderator
Moderator
Posts: 2483
Joined: Sun Mar 30, 2003 4:29 am
Location: Kabul, Afghanistan, Asia
Contact:

Unread postby Hakimoto » Fri Aug 06, 2004 10:17 am

Inst'd the new 0.9.3 from foetz, works like a charm. Great work.

User avatar
foetz
Moderator
Moderator
Posts: 5772
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Unread postby foetz » Fri Aug 06, 2004 6:09 pm

thanks as always :D
r-a-c.de


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest