Re: [gopher] XSS in Gopher in Fx 3.6.11
Cameron Kaiser <spectre@floodgap.com> writes:
> http://www.mozilla.org/security/announce/2010/mfsa2010-68.html
>
> I'd like to see this bug, but Bugzilla has it sec-locked still. I wonder
> if OverbiteFF is vulnerable to it also (I don't think so, I tried to do
> as much as I could to sanitize it).
Security through obscurity is interesting - the bug is still locked.
I suppose that if they didn't have already decided to remove gopher
support, they'd do it now to "fix" this bug.
>From what I understand, this means Gecko somehow allows HTML and
JavaScript to go through while rendering the menu.
I think I'm missing something, because they say "run [...] within the
context of the site.". So this means they've accidentally enabled
javascript support in gopher menus, right? From this description, it
seems it's not different (as in "more dangerous") from a webpage with a
<SCRIPT> block.
But we probably have to wait until they disclose the bug to completely
understand what is it about.
--
Nuno J. Silva
gopher://sdf-eu.org/1/users/njsg
_______________________________________________
Gopher-Project mailing list
Gopher-Project@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/gopher-project
Reply to: