Re: [gopher] XSS in Gopher in Fx 3.6.11
> > http://www.mozilla.org/security/announce/2010/mfsa2010-68.html
> >
> > I'd like to see this bug, but Bugzilla has it sec-locked still. I wonder
> > if OverbiteFF is vulnerable to it also (I don't think so, I tried to do
> > as much as I could to sanitize it).
>
> Security through obscurity is interesting - the bug is still locked.
>
> I suppose that if they didn't have already decided to remove gopher
> support, they'd do it now to "fix" this bug.
>
> From what I understand, this means Gecko somehow allows HTML and
> JavaScript to go through while rendering the menu.
I figured it out thanks to carefully looking through hg changesets until I
found the bug. To wit,
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/55bad5ea82c9
Notice that the flaw is NOT in the menu processor, so the summary is quite
misleading. The bug is actually in the code that linkifies plain text,
which is easiest to exploit from gopher because gopher always uses it. Since
OverbiteFF does not linkify text (although this was a ridiculously stupid
bug if you read the code), it is not vulnerable. If someone finds a way to
XSS OverbiteFF, I want to know about it!
This will reliably exploit the bug:
gopher://gopher.floodgap.com/0/test/expl/bad
(it's just an alert()). It still works on Camino 2.0.5 because that is built
on 3.0.next, which is still vulnerable and was not fixed by this patch.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckaiser@floodgap.com
-- Every new beginning comes from some other beginning's end. -- "Closing Time"
_______________________________________________
Gopher-Project mailing list
Gopher-Project@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/gopher-project
Reply to: