Nekochan Net

Official Chat Channel: #nekochan // irc.nekochan.net
It is currently Wed Apr 23, 2014 8:49 pm

All times are UTC - 8 hours


Forum rules


Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.



Post new topic Reply to topic  [ 1 post ] 
Author Message
Unread postPosted: Tue Mar 15, 2005 9:48 am 
Offline
User avatar

Joined: Mon Apr 14, 2003 3:34 am
Posts: 5057
following is true for 1.7.5 and below.
:!: :!: ff 1.0 AND tb 1.0 are based on 1.7.5 so they're affected, too :!: :!:

watch out before downloading or use the ff and tb versions with the date in their name.
mozilla 1.8x should be safe.


CRITICAL:
Not critical

IMPACT:
Spoofing

WHERE:
From remote

Description:
bitlance winter has discovered a weakness in Mozilla, which can be exploited by malicious people to trick users into saving malicious files by obfuscating URLs.

The status bar cannot be manipulated via script code in the default settings. However, it is still possible to display an incorrect URL in the status bar when hovering the mouse over a link, right clicking, and choosing "Save Link Target As...".

This can be exploited by including a nested link in a table inside a link.

The weakness is related to:
SA13015

Example:
<a href="[TRUSTED_URL]">
<table><tr><td>
<a href="[MALICIOUS_URL]">download
</a>
</td></tr></table>
</a>

The weakness has been confirmed in version 1.7.5. Other versions may also be affected.

Solution:
Never save files via untrusted sources.

Provided and/or discovered by:
bitlance winter

_________________
r-a-c.de


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group