Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
(September 9th, 2005) - A security vulnerability has been detected in Firefox (1.0.6 and prior) as well as Mozilla (1.7.11 and prior), click here to jump to the relevant discussion (in this same thread).
Original Post (For Reference):
-----------------------------------------------------------------------------------------------------
Quote:
A seven year old vulnerability has been re-introduced in Mozilla and Firefox, which can be exploited by malicious people to spoof the contents of web sites.
it worked for me, in other words i'm vulnerable... the secunia page opened inside a frame of the window i had the microsoft website opened in (a very weird thing to see, indeed)...
i'm using firefox 1.0.4 on slackware 10.1... i hope to see firefox 1.0.5 soon...
Ok I stand corrected. I had to set links to open in a new window. FREAKY. If I use tabs or even manually open the links in a new window the test fails.
very scary. I wonder how long this bug has been in as it worked with Firefox 1.0.3 in windows, though with very important sites like my banks site, I will close my browser then reopen so it is the first page I visit except my home page then once I've finished I will close the browser again
i was hoping it was a mistake and wouldn't work on my firefox 1.0.4... but when that secunia page opened in the microsoft frame (in the other window) i immediately started feeling nauseous...
BTW, i take it this is the first flaw for the newly-released Debian 3.1 (Sarge), right??
I cannot get the test page to work with any option (open in new tab by default, open in new window, same tab/window or anything). Maybe the vuln does not apply to Deer Park Alpa 1? Can anyone confirm this?
anybody heard anything about when 1.0.5 will be out to fix this??
AFAIK, this issue was already fixed in trunk and branches the day after i started this thread... what's taking so long to release a patched stable version??
since it seems this only works with new windows (and not new tabs), the simplest workaround would be to force links meant to open in new windows to instead open in new tabs... if you don't wanna go through the right-click routine, try this from the "known issues" section of the firefox 1.0.4 release notes:
Quote:
The Help documentation refers to "Single Window Mode" options regarding "Force links opened in new windows to open in [New Tab, Same Tab]." This function was disabled at the last minute due to problems we were experiencing with it, so ignore this section of Help. To re-enable the Single Window Mode options (at your own risk - there may be crashes), use the Configuration Console (accessed by entering "about:config" in the Location bar and pressing Enter) to set browser.tabs.showSingleWindowModePrefs to true.
i using Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050610 Firefox/1.0.4 (Debian package 1.0.4-3)
by the way, i have tried dillo. it is far better than 2 years ago,
the reasons i trying dillo.
1. it doesn't using "c++" "gecko"
2. it's immaturity make me spend less time doing internet.
3. it small
4. it is safe enough to unable post some message to these kind of board.
if you good at c, you can help them. yeah gtk and c.
from now, i am going back to dillo.
--
growing complexity, swimming somebody's brain.
Originally posted by darkleaf Couldn't get it to work in firefox 1.0.4 (debian package 1.0.4-3) so that's great Or was it only on earlier versions and fixed already?
the debian website currently shows 1.0.4-2 as the latest package... so i guess -3 hasn't been listed yet... but yeah, i would assume that the -3 package is the patched firefox... if you already got -3 via apt-get i assume the advisory will be coming in the mail soon and also the firefox page on the debian site will be updated...
guys, there's been another security issue found...
i just did the secunia test and it worked (i'm vulnerable)...
Quote:
Secunia Research has discovered a vulnerability in Mozilla, Firefox, and Camino, which can be exploited by malicious web sites to spoof dialog boxes.
The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. a prompt dialog box, which appears to be from a trusted site.
Originally posted by win32sux the debian website currently shows 1.0.4-2 as the latest package... so i guess -3 hasn't been listed yet... but yeah, i would assume that the -3 package is the patched firefox... if you already got -3 via apt-get i assume the advisory will be coming in the mail soon and also the firefox page on the debian site will be updated...
That's the link to stable. Though security patches go still into it apparently they're first bringing them through unstable and testing. I'm using unstable so that's why I have it.
edit: wow that new test exploit looks real good. Hope they fix it soon this could be something I wouldn't notice.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.