Re: [Full-Disclosure] Cross-Platform Browser vulnerabilities - Critical

From: Daniel Veditz (dveditz_at_cruzio.com)
Date: 06/08/03

  • Next message: meme-boi: "Re: [Full-Disclosure] Cross-Platform Browser vulnerabilities - Critical" 
    To: full-disclosure@lists.netsys.com
Date: Sun, 08 Jun 2003 09:50:37 -0700

    meme-boi wrote:
    > Synopsis:
    > --------
    >
    > Opera, Mozilla & Netscape with javascript enabled are vulnerable
    > to remote command execution. This has been tested on Microsoft,
    > and many many Unices. Macintosh may also be vuln.

    The exploit example you give is not remote command execution but rather a
    violation of the same origin policy. Unless there are additional details you
    are withholding this same flaw was reported on Bugtraq April 15

    http://www.securityfocus.com/archive/1/318777

    and fixed in Mozilla 1.3

    http://bugzilla.mozilla.org/show_bug.cgi?id=201132

    > There are many, many more issues than I have discussed. The minimal
    > release is for giving the blackhats time to play.

    If instead you'd like to give the whitehats time to fix them details would
    be gratefully received by "security" at "mozilla.org"

    -Dan Veditz
    Mozilla security group member

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: meme-boi: "Re: [Full-Disclosure] Cross-Platform Browser vulnerabilities - Critical"