Mamoru Tasaka
mtasa****@ioa*****
2009年 11月 15日 (日) 22:21:20 JST
Hello: Yavor Doganov wrote, at 11/15/2009 07:03 PM +9:00: > Greetings, > > The following security bug was reported to Debian against the > kazehakase package: > > CVE-2007-1084[0]: > | Mozilla Firefox 2.0.0.1 and earlier does not prompt users before > | saving bookmarklets, which allows remote attackers to bypass the > | same-domain policy by tricking a user into saving a bookmarklet with a > | data: scheme, which is executed in the context of the last visited web > | page. > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1084 > > More information and a reproducible test case are available at > http://lcamtuf.coredump.cx/ffbook/. > > I propose the attached patch. Well, while I don't know well about javascript and CVE-2007-1084, however: - what is the reasonale for disabling to bookmark uri beginning with "data:"? I have Fedora 12 i686 system and even with firefox 3.5.5 I can bookmark such uri (i.e. uri beginning with data:) - And moreover, even with firefox 3.5.5 / xulrunner 1.9.1.5 I can see "EXPLOITATION SUCCESSFUL" message although I don't know what the exact exploitation is. So would you explain more in details? Regards, Mamoru