FireFox sigurnosni propust

FireFox sigurnosni propust

offline
  • Pridružio: 25 Mar 2004
  • Poruke: 816

Naleteo sam na vest koja je malo matora (15. februara) ali ono što me čudi je što nisam primetio da se pominjala ovde na MC-u. Ako je već bila onda se izvinjavam. Radi se u propustu koji omogućava napadaču manipulaciju autentikacionim kolačićima putem java skripte:

Citat:
Firefox suffers from a flaw that allows attackers to manipulate the authentication cookies of virtually any website, a vulnerability Bugzilla has deemed severe. It's the second major security lapse for the open-source browser in as many days.

The defect, which stems from the way Firefox writes to the "location.hostname" property of the document object model, can be exploited by a specially doctored script that sets variables that normally wouldn't be accepted when parsing a regular URL, according to researcher Michal Zalewski, who uncovered Monday's vulnerability as well.

By injecting text string that includes "\x00," normal safeguards can be bypassed, allowing the browser to be fooled about the origin of a domain trying to set or modify a cookie. The sleight of hand makes a victim's browser appear to be talking to trustedbank.com when in fact it is receiving data from evilhackers.com.

Izvor
http://www.theregister.com/2007/02/15/firefox_vuln/

Pogođeni su sledeći browseri:
FireFox verzije 1.5.0.9 i 2.0.0.1 i niže kao i SeaMonkey 1.0.7.
Preporuke je što pre izvršiti upgrade na verzije 1.5.1.0 i 2.0.0.2 za FireFox i 1.0.8 i 1.1.1 SeaMonkey.

Ovde imate demo primerak propusta i njegovo privremeno odklanjanje.



Registruj se da bi učestvovao u diskusiji. Registrovanim korisnicima se NE prikazuju reklame unutar poruka.
Ko je trenutno na forumu
 

Ukupno su 617 korisnika na forumu :: 34 registrovanih, 2 sakrivenih i 581 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 1567 - dana 15 Jul 2016 19:18

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _commandos_, A.R.Chafee.Jr., Apok, Atomski čoban, atrkulja, Drug pukovnik, Filodendron, ivance95, jovan.simovic97, Kubovac, liman, ltcolonel, milos.cbr, Mr. Majevica, mutic2002, proka89, Rakenica, renoje2, repac2, RJ, rodoljub, sabaton26, Shomy, shone34, sosko2, srdic.vlada, StepskiVuk2, theNedjeljko, trutcina, VJ, Voja1978, XBMC, yrraf, yufighter