Help - Search - Members
Full Version: Firefox Cookie Bug
Piriform Community Forums > Computer Help and Discussion > Windows Security
Humpty
Feb 15 2007, 09:47 PM
QUOTE
There's a new bug reported in the way Firefox handles writes to the 'location.hostname' DOM property. The vulnerability could potentially allow a malicious website to manipulate the authentication cookies for a third-party site. The bug was submitted by Michal Zalewski and was tested with the current version of Firefox.

The bug could allow for the browser to appear as if were connecting to a bank, when in fact it would instead be receiving data from a bad guy.A demo of the vulnerability and a suggested work-around can be found here.

F-secure article
krit86lr
Feb 15 2007, 09:51 PM
Oh, no! sad.gif I hope it's fixed quickly.
Humpty
Feb 15 2007, 10:10 PM
When I tested FF the noscript extension stopped the test site.

I then allowed the test site and I was supposedly vulnerable so I implemented the "about:config" setting and that seemed to fix it.
Andavari
Feb 16 2007, 08:58 PM
QUOTE(Humpty @ Feb 15 2007, 04:10 PM) [snapback]62939[/snapback]
I then allowed the test site and I was supposedly vulnerable so I implemented the "about:config" setting and that seemed to fix it.

Ditto, the fix works for me too in the interim. I wonder though if/when Mozilla fixes it if we'll have to remove the fix.
JDPower
Feb 16 2007, 10:08 PM
QUOTE(Andavari @ Feb 16 2007, 08:58 PM) [snapback]63037[/snapback]
Ditto, the fix works for me too in the interim. I wonder though if/when Mozilla fixes it if we'll have to remove the fix.

With it being a Mozilla suggested fix I wouldn't think so (wouldn't be surprised if the official fix just does the same thing)
fireryone
Feb 17 2007, 12:53 AM
QUOTE
There's a new bug reported in the way Firefox...

Thanks I've fixed mine smile.gif
Sputnik
Feb 17 2007, 07:49 PM
QUOTE(fireryone @ Feb 17 2007, 01:53 AM) [snapback]63064[/snapback]
Thanks I've fixed mine


Dito smile.gif
TeeJay3800
Feb 20 2007, 01:57 AM
I fixed mine too, but now www.howardforums.com will not load for me. Is this happening to anyone else?
Humpty
Feb 20 2007, 02:02 AM
Howards Forum is loading OK here.

In case the test site for the fix can't be accessed.

An interim workaround suggested by Firefox developers is to Open Firefox, go to the Address Bar and type: about:config
Then right-click anywhere on the page to add a new string key: capability.policy.default.Location.hostname.set
Set its value to noAccess
JDPower
Feb 20 2007, 06:18 AM
QUOTE(Humpty @ Feb 20 2007, 02:02 AM) [snapback]63378[/snapback]
Howards Forum is loading OK here.

Working fine here too.
Woody
Feb 20 2007, 01:42 PM
Works here as well.

God isn't that site weird? One guy on there has over 7500 posts, all about mobile phones! unsure.gif

The words Get and Life spring to mind. laugh.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.