 |
www.elektronik.si
Forum o elektrotehniki in računalništvu
|
| Poglej prejšnjo temo :: Poglej naslednjo temo |
| Avtor |
Sporočilo |
Bostjan
Moderator
Pridružen-a: Pon 28 Jul 2003 15:06
Prispevkov: 190
Aktiv.: 0.80
Kraj: Ljubljana
|
 Objavljeno: Tor Maj 10, 2005 10:36 am Naslov sporočila: Zelo resni pomanjkljivosti v Firefoxu |
 |
|
Secunia opozarja pred pomanjkljivostma v spletnem brskalniku Firefox, ki ju je mogoče izkoristiti za skriptne napade in vdor v sistem uporabnika.
Za uspešno izkoriščanje pomanjkljivosti mora imeti spletna stran dovoljenje za nameščanje programske opreme. Pri Secunii prav tako opozarjajo, da že obstaja koda za izkorišanje pomanjkljivosti, ki zagotovo obstajata v različici 1.0.3, verjetno pa tudi pri drugih različicah brskalnika. (aNET)
Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.
NOTE: Exploit code is publicly available.
The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.
Solution:
1) Disable JavaScript.
2) Disable software installation: Options --> Web Features --> "Allow web sites to install software"
NOTE: A temporary solution has been added to the sites "update.mozilla.org" and "addons.mozilla.org" where requests are redirected to "do-not-add.mozilla.org". This will stop the publicly available exploit code using a combination of vulnerability 1 and 2 to execute arbitrary code in the default settings of Firefox.
_________________
LP,
Boštjan M.
Srce heroja bije v vsakomur, a le izbrani ga lahko tudi slišijo. (Charles Barkley) |
|
| Nazaj na vrh |
|
 |
mleko_milk
Član
Pridružen-a: Ned 10 Apr 2005 16:09
Prispevkov: 73
Aktiv.: 0.31
Kraj: Ljubljana
|
| Objavljeno: Pet Maj 13, 2005 3:43 pm Naslov sporočila: |
|
|
Včeraj je izšla nova različica vedno bolj priljubljenega brskalnika Mozilla Firefox. V različici (1.0.4) so odpravili tri luknje ter odpravili napake, ki so se pojavljale na nekaterih straneh z DHTML-om.
"download" nove različice
_________________
Kar je dobro, ni slabo. |
|
| Nazaj na vrh |
|
|
|
|
Ne, ne moreš dodajati novih tem v tem forumu
Ne, ne moreš odgovarjati na teme v tem forumu
Ne, ne moreš urejati svojih prispevkov v tem forumu
Ne, ne moreš brisati svojih prispevkov v tem forumu
Ne ne moreš glasovati v anketi v tem forumu
Ne, ne moreš pripeti datotek v tem forumu
Ne, ne moreš povleči datotek v tem forumu
|
Uptime: 500 dni
Powered by phpBB © 2001, 2005 phpBB Group
|
Pomoč
Išči
Seznam članov
Skupine
Statistika
Album
Filemanager
Registriraj se
Priponke
Koledar
Tvoj profil
Prijava
