[Kazehakase-devel 2934] Re: CVE-2007-1084 bookmarklets cross-site info disclosure

Zurück zum Archiv-Index

Yavor Doganov yavor****@gnu*****
2009年 11月 16日 (月) 00:59:16 JST


Mamoru Tasaka wrote:
> I already saw the URL, however still I fail to understand the
> rationale.

See http://lcamtuf.coredump.cx/ffbook/attack.js.  I'm not familiar
with JavaScript either, but it seems to me that an attacker can gain
access to sensible data when the bookmarked page is loaded and the
script is executed in the context of the last visited page.

It is of medium severity, because it still needs user action for this
to happen.

> If it is possible to add the uri manually anyway, I don't see the
> necessity of the patch.

You can always add the bookmark by editing ~/.kazehakase/bookmarks.xml
anyway, so I don't think this is a valid argument.  At least the
Debian Security Team confirmed that this will fix the CVE (I'm not a
security expert myself so I'm not prepared to argue).

> ... But when bookmarking the uri, the user is seeing the uri once
> anyway?

Yes.  The problem is when (the common case) the user is not familiar
with the implications.

> Yes, so it means that firefox people are refusing the proposition?

No, it means that they agree this is an issue that has to be fixed and
even have an approved patch, but it has not been applied (for whatever
reasons).

> (and the original bug is
> https://bugzilla.mozilla.org/show_bug.cgi?id=371179 )

Right, sorry.




Kazehakase-devel メーリングリストの案内
Zurück zum Archiv-Index