Firefox Cookie Bug

Started by Humpty, Feb 15 2007 09:47 PM

You cannot reply to this topic
Go to first unread post

10 replies to this topic

#1 OFFLINE Humpty

Super Hero

Members
2,125 posts

Posted 15 February 2007 - 09:47 PM

Quote

There's a new bug reported in the way Firefox handles writes to the 'location.hostname' DOM property. The vulnerability could potentially allow a malicious website to manipulate the authentication cookies for a third-party site. The bug was submitted by Michal Zalewski and was tested with the current version of Firefox.

The bug could allow for the browser to appear as if were connecting to a bank, when in fact it would instead be receiving data from a bad guy.A demo of the vulnerability and a suggested work-around can be found here.

F-secure article

Back to top

#2 OFFLINE krit86lr

Power Member

Members
1,958 posts

Gender:Female
Location:Missouri, USA

Posted 15 February 2007 - 09:51 PM

Oh, no!

I hope it's fixed quickly.

CCleaner Beginner's Guide | Winapp2.ini: Personalize Your CCleaner | DAF | Fix CCleaner Crashes | CCleaner Issues Re-appearing

Back to top

#3 OFFLINE Humpty

Super Hero

Members
2,125 posts

Posted 15 February 2007 - 10:10 PM

When I tested FF the noscript extension stopped the test site.

I then allowed the test site and I was supposedly vulnerable so I implemented the "about:config" setting and that seemed to fix it.

Back to top

#4 OFFLINE Andavari

Captain Spectacular

Moderators
13,324 posts

Gender:Male
Location:Shadow Moses

Posted 16 February 2007 - 08:58 PM

Humpty, on Feb 15 2007, 04:10 PM, said:

I then allowed the test site and I was supposedly vulnerable so I implemented the "about:config" setting and that seemed to fix it.

Ditto, the fix works for me too in the interim. I wonder though if/when Mozilla fixes it if we'll have to remove the fix.

Complexity of incoherent design.

Back to top

#5 OFFLINE JDPower

Cydonian Knight

Members
2,952 posts

Gender:Male
Location:England

Posted 16 February 2007 - 10:08 PM

Andavari, on Feb 16 2007, 08:58 PM, said:

Ditto, the fix works for me too in the interim. I wonder though if/when Mozilla fixes it if we'll have to remove the fix.

With it being a Mozilla suggested fix I wouldn't think so (wouldn't be surprised if the official fix just does the same thing)

Back to top

#6 OFFLINE fireryone

Lets Get Dangerous

Members
1,626 posts

Gender:Male
Location:QLD,Australia
Interests:PC, LOTRO

Posted 17 February 2007 - 12:53 AM

Quote

There's a new bug reported in the way Firefox...

Thanks I've fixed mine

fireryone

There are 10 types of people in this world.
Those who understand binary, and those who don't.

Back to top

#7 OFFLINE Sputnik

Advanced Member

Members
238 posts

Posted 17 February 2007 - 07:49 PM

fireryone, on Feb 17 2007, 01:53 AM, said:

Thanks I've fixed mine

Dito

Ceci n'est pas une signature

Back to top

#8 OFFLINE TeeJay3800

Power Member

Members
675 posts

Gender:Male
Location:Metro Detroit

Posted 20 February 2007 - 01:57 AM

I fixed mine too, but now www.howardforums.com will not load for me. Is this happening to anyone else?

Dell Latitude D600
Windows 7 Ultimate 32-bit SP1

Back to top

#9 OFFLINE Humpty

Super Hero

Members
2,125 posts

Posted 20 February 2007 - 02:02 AM

Howards Forum is loading OK here.

In case the test site for the fix can't be accessed.

An interim workaround suggested by Firefox developers is to Open Firefox, go to the Address Bar and type: about:config
Then right-click anywhere on the page to add a new string key: capability.policy.default.Location.hostname.set
Set its value to noAccess