Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability

Discussion in 'other security issues & news' started by ronjor, Apr 5, 2005.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,724
    Location:
    Texas
    Netscape and Mozilla are also affected. A test is at the link.

    Secunia
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,724
    Location:
    Texas
    Flaw found in Firefox

    More Info
     
  3. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    If you happen to use Proxomitron, here is a filter that *may* block this vulnerability (I still don't have a clear idea on how this flaw works):

    Code:
    [Patterns]
    Name = "Mozilla: Memory Access Remover [Kye-U]"
    Active = TRUE
    URL = "($TYPE(htm)|$TYPE(js))"
    Limit = 30
    Match = ".replace\(\w,function\($[#1-9]\)"
    Replace = ".Shonenscape"
     
  4. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    \\\\\\\\\\







    Well, that was fun! It felt like half my computer's brain was just left at Secunia! So, Promoxitron is the only workaround right now?
     
  5. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    So I disabled javascript and now I can only answer in this little quote box, or is that something else?
     
  6. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    You might be able to do the same sort of thing with the greasemonkey extension

    If you haven't seen it before this extension allows you to make arbitrary changes to webpages dynamically
    • useful to fix pages that are slightly broken under Moz/FF
    • useful to add in features rather than waiting for the site owners...
    • possibly useful in this case to dynamically ferret out unwanted js behaviour
    Greasemonkey can be found at http://greasemonkey.mozdev.org/
     
  7. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
Loading...
Thread Status:
Not open for further replies.