Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I've downloaded the new version, and extracted the tar archive. However, the installation instructions on the site were sparse, to say the least:
Doing just this, the firefox command still opens the old version, and the new version will open only if I specify the full path.
Entering which firefox points to /usr/bin/firefox, which is a symlink to the old firefox file. Should I just change this to point to the new version, or is there something more clever that I should do?
For Tarballs, generally after you untar it (this just uncompresses the file) , you cd to the directory then run the installer which is generally something like this:
Try that and see if that helps. Or check out the readme file, it should have install instructions.
Mozilla Firefox Multiple Vulnerabilities (Highly Critical)
Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system.
2) An error in the "addEventListener" method can be exploited to inject script into another site, circumventing the browser's same-origin policy. This could be used to access or modify sensitive information from the other site.
3) An error in the handling of XUL popups can be exploited to spoof parts of the browser such as the location bar.
Mozilla Firefox / Seamonkey "resource://" Information Disclosure (Not Critical)
A security issue has been reported in Mozilla Firefox and Mozilla Seamonkey, which can be exploited by malicious people to disclose potentially sensitive information.
Note: The directory traversal is fixed in Mozilla Firefox version 188.8.131.52 for Windows. However it is still possible to include files from the installation folder. Also, the directory traversal issue is not fixed for UNIX-like operating systems. Reportedly, this also introduces a new, unspecified input validation flaw.
I believe the newest version of NoScript blocks a lot of these exploits.Not all,of course,but quite a few.I think the authors have been working with Jeremiah Grossman and RSnake to fix a lot of issues.
Carl Hardwick has discovered a weakness in Firefox, which potentially can be exploited by malicious people to disclose sensitive information.
The weakness is caused due to a design error within the focus handling of form fields and can potentially be exploited by changing the focus from a "textarea" field to a "file upload" form field via the "OnKeyDown" event.
Successful exploitation allows an arbitrary file on the user's system to be uploaded to a malicious web site, but requires that the user is tricked into typing the file name into a "textarea" input form.
The weakness is confirmed in version 184.108.40.206. Other versions may also be affected.
Do not enter file names to form fields on untrusted web sites.
Michal Zalewski has discovered a vulnerability in Mozilla Firefox, which can be exploited by malicious people to disclose sensitive information and conduct spoofing attacks.
The vulnerability is caused due to an error in the handling of the "wyciwyg://" URI handler. This can be exploited to access or spoof contents from a previously cached web site e.g. via HTTP 302 redirects when a user visits a malicious web page.
The vulnerability is confirmed in version 220.127.116.11. Other versions may also be affected.
Firefox "firefoxurl" URI Handler Registration Vulnerability (Highly Critical)
Unlike the above vulnerability (which is exploitable on GNU/Linux), this one does not seem to directly affect GNU/Linux. However, I'm leaving it posted here in the hopes that it raises awareness about the possible dangers involved whenever you have Firefox initiated from other apps. I'm thinking stuff like Gaim/Pidgin, etc.
A vulnerability has been discovered in Firefox, which can be exploited by malicious people to compromise a user's system.
The vulnerability is confirmed in Firefox version 18.104.22.168 on a fully patched Windows XP SP2. Other versions may also be affected.
Mozilla Firefox Multiple Vulnerabilities (Highly Critical)
Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing and cross-site scripting attacks and potentially to compromise a user's system.
1) Various errors in the browser engine can be exploited to cause memory corruption and potentially to execute arbitrary code.
3) An error in the "addEventListener" and "setTimeout" methods can be exploited to inject script into another site's context, circumventing the browser's same-origin policy.
4) An error in the cross-domain handling can be exploited to inject arbitrary HTML and script code in a sub-frame of another web site.
I saw this on Slashdot.org today, and thought I'd post a link here as a heads-up.
The Mozilla developers have fixed a known hole in the password manager of Firefox & Co, but a door remains open for exploitation. If the user gives permission, the inbuilt password manager of the open-source browser saves passwords and enters data into the respective form fields on the user's next visit automatically. This happens not only on the page where the password was saved, but also on all other pages on this server that contain a similar form.
Mozilla Products Addon Chrome-Loaded "about:blank" Cross-Context Scripting
A vulnerability has been reported in Mozilla products, which potentially can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an error within the handling of "about:blank" pages loaded by chrome in an addon. This can be exploited to execute script code under chrome privileges by e.g. clicking on a link opened in an "about:blank" window created and populated in a certain ways by an addon.
Successful exploitation requires that certain addons are installed.
The vulnerability is reported in the following products and versions:
* Firefox 22.214.171.124
* Thunderbird 126.96.36.199
* SeaMonkey 1.1.3
Mozilla has acknowledged a security issue in Firefox, which potentially can be exploited by malicious people to compromise a user's system.
Hi crashmeister. Could you clarify whether this is a Firefox vuln or a Google vuln? I took a look at the link but didn't see anything that looked Firefox-specific. Also, considering this seems to have been posted by the NoScript developer, are we to understand that NoScript protects against it?