lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <e1653960706041242u72fd356cof8bf68fe46878654@mail.gmail.com>
Date: Mon, 4 Jun 2007 21:42:05 +0200
From: "Thor Larholm" <larholm@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Unpatched input validation flaw in Firefox 2.0.0.4

Firefox 2.0.0.4 contains a fix for a directory traversal vulnerability
that allowed you to read local files through the resource protocol.

However, the patch only partially fixed the vulnerability on Windows
systems and accidentally circumvents an existing input validation
check.

The net result is that you can still read some local files on Windows
and all user accessible files on Linux/Unix/OS X, with all user
accessible files potentially readable as well on Windows through the
patch regression.

http://larholm.com/2007/06/04/unpatched-input-validation-flaw-in-firefox-2004/

Cheers

Thor Larholm

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ