Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Some vulnerabilities and a weakness have been reported in Mozilla Firefox, which can be exploited by malicious people to disclose sensitive information, conduct phishing attacks, manipulate certain data, and potentially compromise a user's system.
Description:
A security issue has been reported in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks.
The problem is that the "jar:" protocol handler does not validate the MIME type of the contents of an archive, which are then executed in the context of the site hosting the archive. This can be exploited to conduct cross-site scripting attacks on sites that allow a user to upload certain files (e.g. .zip, .png, .doc, .odt, .txt).
Solution:
Do not follow untrusted "jar:" links or browse untrusted websites.
Mozilla Firefox Multiple Vulnerabilities (Moderately Critical)
Quote:
Description:
Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site request forgery attacks and potentially to compromise a user's system.
1) A race condition when setting the "window.location" property can be exploited to generate a fake HTTP Referer header, which can be used to conduct cross-site request forgery attacks.
2) Some unspecified errors can be exploited to cause memory corruption and potentially allow execution of arbitrary code.
The vulnerabilities are reported in versions prior to 2.0.0.10.
Description:
Paul Szabo has discovered a security issue in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks.
The security issue is caused due to embedded iframes inheriting the charset of parent frames when the charset is set manually. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of certain sites that are included via iframes in a malicious page.
Successful exploitation requires that the target user is tricked into changing the charset of the parent page e.g. to UTF-7.
The security issue is confirmed in Firefox 2.0.0.11. Other versions may also be affected.
Solution:
Do not change the character encoding manually. Do not browse untrusted sites.
A serious flaw in how Firefox handles log-ons could be used by identity thieves to dupe users into disclosing passwords, a noted security researcher said Wednesday.
Aviv Raff, an Israeli researcher best known for ferreting out browser flaws, revealed the Firefox spoofing vulnerability on his personal blog, and posted a demonstration video there. He did not go public with any proof-of-concept code or working exploit, however.
According to Raff, Firefox 2.0.0.11 -- Mozilla Corp.'s most current version -- fails to sanitize single quotation marks and spaces in what's called the "Realm" value of an authentication header. "This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site," said Raff.
Mozilla Firefox "chrome:" Directory Traversal Security Issue
Quote:
Gerry Eisenhaur has discovered a security issue in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions.
The security issue is caused due to an error within the handling of "chrome:" URIs. This can be exploited to include arbitrary scripts from local resources via directory traversal attacks.
A new set of highly critical vulnerabilities have been found/fixed in Firefox.
Please upgrade to version 2.0.0.13 ASAP.
Quote:
Some vulnerabilities and weaknesses have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, conduct cross-site scripting and phishing attacks, and potentially compromise a user's system.
A very nice tool for FireFox Security is NoScript. It is available in the add-ons page.
NOTE: It may cause some problems with sites such as LinuxQuestions or YouTube ... You must give these sites privileges ... to watch videos, you often have to enable other sites (For YouTube, for example, you need to allow YouTube and ytimg.)
Mozilla Firefox Javascript Garbage Collector Vulnerability
Quote:
Description:
A vulnerability has been reported in Mozilla Firefox, which can potentially be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an error in the Javascript Garbage Collector and can be exploited to cause a memory corruption via specially crafted Javascript code.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in version 2.0.0.13. Prior versions may also be affected.
Hello everyone! Just thought I'd chime-in and point you to a thread started by our friend unixfool. In it, he introduces us to Firekeeper, an IDS/IPS extension for Firefox. I haven't tried it yet, but it looks really promising and might be a great way for some of us to increase the security of our Firefoxes. If you wish to discuss Firekeeper, please use unixfool's thread.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Mozilla Firefox Multiple Vulnerabilities (Highly Critical)
Firekeeper for Firefox
