lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: Re: Fwd: New possible scam method : forged websites using XUL
 (Firefox)

Below is my message to bugtraq regarding the Mozilla XUL forgery 
advisory.  Please note that my post was rejected from bugtraq because 
the moderator claimed openly that the "the Mozilla developers show how 
amazingly out of touch they are" (his words) indicating that my message 
was not relevent while the previous one, according to them, was.

I'd like to continue discussion of this issue -- and will be forced to 
do so in the free venue of Full Disclosure since securityfocus' bugtraq 
has shown itself to now be utterly useless.

          -Barry

note: My point is that it's a security issue, but not a vulnerability of 
the code execution type, and thus not comparable to the timeframe it 
took to fix IE's latest flaws.  It was also not "swept under the rug" as 
it's discussion was on a public resource.  Appearently, bugtraq's 
moderators think it's OK to blindly attack Mozilla but not OK to try to 
clearify the issue.  Nice move, showing your true colors like this.

 

Barry Fitzgerald wrote:

> Justin Polazzo wrote:
>
>>
>> 5 Years to fix a vuln? I am not sure if even Microsoft has been that 
>> slow to confront a security flaw. Has anyone heard an explanation as 
>> to why this was kept confidential and swept under the rug until now?
>>
>>
>> BTW: Thank you Mr. Smith for an excellent page.
>>
>>  
>>
>
> Sounds to me like sensationalist hyperbole more than it does that this 
> was "kept confidential".  (I hardly call bugzilla confidential.)
>
> This is not a vulnerability.  This is an interface option that can be 
> used to carry out a forgery.  The same can be done using the IMG tag.  
> Since I can use another company's logo on  my "forged" site using the 
> IMG tag, are you then going to ask why it took the w3c over a decade 
> to remove the IMG tag vulnerability?
>
> Give me a break...
>
>       -Barry
>
> p.s.  Don't get me wrong, this is a security issue that should be 
> fixed.  At the very least, it should be possible to disable XUL or 
> limit it's usage.   However, comparing this to the recent IE 
> vulnerabilities is poor judgement to say the least.
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ