Full Disclosure mailing list archives
Re: Is Mozilla's "patch" enough?
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Mon, 12 Jul 2004 11:20:23 -0400
Pavel Kankovsky wrote:
The user has already lost. Game over. An attacker can exploit the ability to modify the user's configuration in many different ways. E.g. redirect the browser to a proxy under the attacker's control, make Mozilla use a trojanized Chrome or a trojanized Java plugin, etc.
My thought about this is that if someone can gain access to the system in order to change the contents of prefs.js, then why would they want to be able to run even more code via shell: ?
At that point they already have the ability to run code on the box because they have to be able to do that to modify the config files.
And yes, I firmly believe that whitelisting the "safe" protocols is better than maintaining a blacklist.
-Barry _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Pavel Kankovsky (Jul 12)
- Re: Is Mozilla's "patch" enough? William Warren (Jul 12)
- Re: Is Mozilla's "patch" enough? Thomas Kaschwig (Jul 12)
- Re: Is Mozilla's "patch" enough? Barry Fitzgerald (Jul 12)
- Re: Is Mozilla's "patch" enough? William Warren (Jul 12)
- Re: Is Mozilla's "patch" enough? Thomas Kaschwig (Jul 13)
- Re: Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Georgi Guninski (Jul 12)
- Re: Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Florian Weimer (Jul 12)
- Re: Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Florian Weimer (Jul 12)
- Re: Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Pavel Kankovsky (Jul 12)
- Re: Is Mozilla's "patch" enough? Thomas Kaschwig (Jul 12)
- Re: Is Mozilla's "patch" enough? Daniel Wang (Jul 13)