lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040802131549.3978.qmail@www.securityfocus.com>
Date: 2 Aug 2004 13:15:49 -0000
From: Justin Polazzo <jo@...o.net>
To: bugtraq@...urityfocus.com
Subject: Re: Fwd: New possible scam method : forged websites using XUL
    (Firefox)


In-Reply-To: <20040730210508.GT19188@...urityfocus.com>

"The security implications of 
this trick were considered as early as 1999 in Mozilla Bug 22183
(http://bugzilla.mozilla.org/show_bug.cgi?id=22183).  However, the 
Mozilla Foundation has kept the Bug confidential until recently, 
when a researcher noted the problem and published a 
particularly-effective demonstration, spoofing a "PayPal" login 
site (see http://www.nd.edu/~jsmith30/xul/test/spoof.html)."

5 Years to fix a vuln? I am not sure if even Microsoft has been that slow to confront a security flaw. Has anyone heard an explanation as to why this was kept confidential and swept under the rug until now?


BTW: Thank you Mr. Smith for an excellent page.

Jo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ