SillyDog701

by **geffr** » Tue 08 Feb, 2005 10:31 am

Perhaps it's time for FF 1.1 with a few of these issues patched? That needs to be Moz's priority at the moment.

Does anyone know what "he vulnerabilities have been fixed in the CVS repository." means?

Lastly, yesterday's IDN is back to effecting my system after setting it to false. Don't understand why the fix only works for a short time......

TITLE:
Mozilla / Firefox Three Vulnerabilities

SECUNIA ADVISORY ID:
SA14160

VERIFY ADVISORY:
http://secunia.com/advisories/14160/

CRITICAL:
Less critical

IMPACT:
Security Bypass, Cross Site Scripting, Manipulation of data

WHERE:
>From remote

SOFTWARE:
Mozilla Firefox 1.x
http://secunia.com/product/4227/
Mozilla Firefox 0.x
http://secunia.com/product/3256/
Mozilla 1.7.x
http://secunia.com/product/3691/
Mozilla 1.6
http://secunia.com/product/3101/
Mozilla 1.5
http://secunia.com/product/2478/
Mozilla 1.4
http://secunia.com/product/1481/
Mozilla 1.3
http://secunia.com/product/1480/
Mozilla 1.2
http://secunia.com/product/3100/
Mozilla 1.1
http://secunia.com/product/98/
Mozilla 1.0
http://secunia.com/product/97/
Mozilla 0.x
http://secunia.com/product/772/

DESCRIPTION:
mikx has discovered three vulnerabilities in Mozilla and Firefox,
which can be exploited by malicious people to plant malware on a
user's system, conduct cross-site scripting attacks and bypass
certain security restrictions.

1) Mozilla and Firefox validate an image against the "Content-Type"
HTTP header, but uses the file extension from the URL when saving an
image after a drag and drop event. This can e.g. be exploited to
plant a valid image with an arbitrary file extension and embedded
script code (e.g. .bat file) on the desktop by tricking a user into
performing a certain drag and drop event.

2) Missing URI handler validation when dragging a "javascript:" URL
to another tab can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an arbitrary site by
tricking a user into dragging a malicious link to another tab.

3) An error in the restriction of URI handlers loaded via plugins can
be exploited to link to certain restricted URIs (e.g. about:config).

This can further be exploited to trick a user into changing some
sensitive configuration settings.

The vulnerabilities have been confirmed in Mozilla 1.7.5 and Firefox
1.0. Other versions may also be affected.

SOLUTION:
The vulnerabilities have been fixed in the CVS repository.

PROVIDED AND/OR DISCOVERED BY:
mikx

ORIGINAL ADVISORY:
1) http://www.mikx.de/index.php?p=8
2) http://www.mikx.de/index.php?p=9
3) http://www.mikx.de/index.php?p=10

OTHER REFERENCES:
1) https://bugzilla.mozilla.org/show_bug.cgi?id=279945
2) https://bugzilla.mozilla.org/show_bug.cgi?id=280056
3) https://bugzilla.mozilla.org/show_bug.cgi?id=280664

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

by **J-M** » Tue 08 Feb, 2005 5:19 pm

geffr wrote:Perhaps it's time for FF 1.1 with a few of these issues patched? That needs to be Moz's priority at the moment.

According to recent knowledge we can just wait FF1.1 in June. In fact, release 1.01 is planned to security release purposes. Mozilla Foundation is aware of several reported vulnerabilities, but those are handled confidentially, of course, and there is 'security-sensitive' flag in Bugzilla entries related to exploitable security issues. They remove that flag when patches are ready or/and someone publish information about those issues.
Thanks for informative posting. Is it possible to add something like Secunia writes: above the TITLE: row now when your Edit mode works. :wink:

Possibly they are reading their advisory text here.

Mozilla guys (and girls?) are working hardly to push out new releases of FF and Suite in the near future, I think.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.5) Gecko/20041108 Firefox/1.0

by **Ramona** » Tue 08 Feb, 2005 6:24 pm

geffr wrote:Does anyone know what "he vulnerabilities have been fixed in the CVS repository." means?

http://www.mozilla.org/cvs.html

What's CVS?

CVS is the Concurrent Versions System. Start at CVShome.org to learn more and read the tutorial.

[tt]http://www.cvshome.org/
http://www.cvshome.org/docs/blandy.html[/tt]

Anyone can check out the sources via CVS, but only certain people have the ability to check in. Those people, basically, are the module owners and their delegates. Read our document on hacking mozilla to find out how to get the ability to check in. You may also wish to see our using SSH to connect to CVS document.

To check out the sources, you need to be running CVS 1.10 or later
--

CVS client-server access method lets developers access the latest code from anywhere there's an Internet connection.

This isn't for end users, it's for developers, so the Secunia Advisories are misleading in that respect. We will have to wait for a new Security Release from Mozilla/Firefox. Mozilla is very fast to respond to these security vulnerabilities, so I doubt if we have a long wait.

Ramona

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

by **J-M** » Wed 09 Feb, 2005 11:43 am

Netscape 7 is affected too, version 7.2 is confirmed by Secunia:

http://secunia.com/advisories/14206/
in advisory published today.

A better name to this issue is maybe Netscape Browser Multiple Drag and Drop Vulnerabilities;
http://www.k-otik.com/english/advisories/2005/0134

However, "Firedragging" is one part of the issue, but "Firetabbing" issue and PoC is based to drag and drop method too.

Secunia's advisory contains links to test pages.

Secunia says:

Solution:
Use another browser.

This is due to several unpatched issues.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.5) Gecko/20041108 Firefox/1.0

by **Alice** » Wed 09 Feb, 2005 12:42 pm

geffr wrote:
Lastly, yesterday's IDN is back to effecting my system after setting it to false. Don't understand why the fix only works for a short time......

That's a separate issue. See:
http://sillydog.org/forum/viewtopic.php?t=8260
"IDN" Spoofing Security Issue in FF,Moz,NS7,Safari

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041217

by **J-M** » Wed 09 Feb, 2005 2:47 pm

Leaving this thread to Firefox and Mozilla Suite, and their situation of fixing etc.

Started a new Netscape 7 thread:
http://sillydog.org/forum/viewtopic.php?t=8284

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.5) Gecko/20041108 Firefox/1.0

by **J-M** » Tue 22 Mar, 2005 3:54 am

These issues are fixed "officially" now in Mozilla 1.7.6. Secunia's advisory was saying Vendor Patch earlier too, like we already know.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.6) Gecko/20050226 Firefox/1.0.1

SillyDog701

2/8/05 New Secunia Firefox/Moz Security Issue

2/8/05 New Secunia Firefox/Moz Security Issue

Re: 2/8/05 New Secunia Firefox/Moz Security Issue

Re: 2/8/05 New Secunia Firefox/Moz Security Issue

Who is online