lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8beca8204071207234688da01@mail.gmail.com>
From: avivra at gmail.com (Aviv Raff)
Subject: Is Mozilla's "patch" enough?

How can it not be a security flaw of mozilla if a setting in the
user.js overrides the global security setting defined by a patch, and
any manual setting defined by the user through the about:config?

I understand that if an attacker has the ability to change the user.js
file he can do worse things, but why should there be a way to override
security patches without uninstalling them?

I think user.js (or the lockPref settings in mozila.cfg) makes Mozilla
more spyware/worms oriented.

On Mon, 12 Jul 2004 16:01:53 +0200, Thomas Kaschwig <thomas@...chwig.net> wrote:
> Aviv Raff wrote:
> 
> > If an attacker has a file writing access to the user's default profile
> > directory, or somehow manages to update/create the file user.js (or
> > even worse - mozilla.cfg) he can override the patch's configuration
> > change, and enable the shell protocol handler again.
> 
> Nobody should have write access to your user profile. If someone is able
> to modify your user.js file, (s)he can enable some worse options, e.g.
> the protocol handler for `hcp' or `vbscript', but this is not a security
> flaw of mozilla...
> 
> Thomas
> --
> PGP/GnuPG: http://www.kaschwig.net/kaschwig.gpg.asc * KeyID: 0x3D68D63A
> Fingerprint: 274A 4CB8 B362 D593 39D6 0989 8FC3 725F 3D68 D63A
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ