[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Is Mozilla's "patch" enough?

Subject: Re: [Full-Disclosure] Is Mozilla's "patch" enough?
From: Daniel Wang <whiteclover79-security@xxxxxxxxxxxx>
Date: Tue, 13 Jul 2004 02:15:40 -0700

Aviv Raff wrote:

How can it not be a security flaw of mozilla if a setting in the
user.js overrides the global security setting defined by a patch, and
any manual setting defined by the user through the about:config?

I understand that if an attacker has the ability to change the user.js
file he can do worse things, but why should there be a way to override
security patches without uninstalling them?

I think user.js (or the lockPref settings in mozila.cfg) makes Mozilla
more spyware/worms oriented.

Please explain your point.

AFAIK, the preferences component of Mozilla has no code that can write to user.js.

As for mozilla.cfg, 1) it is obscured by simple byte-shift, 2) its first line is bypassed (and should be made an invalid JS code), and 3) must be referenced in all.js (or another default pref file) to work.

I don't understand how someone can change user.js/mozilla.cfg without already having access to the client computer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Is Mozilla's "patch" enough?
  - From: Aviv Raff
- Re: [Full-Disclosure] Is Mozilla's "patch" enough?
  - From: Thomas Kaschwig
- Re: [Full-Disclosure] Is Mozilla's "patch" enough?
  - From: Aviv Raff

Prev by Date: [Full-Disclosure] MySQL 4.1/5.0 zero-length password auth. bypass - modified MySQL client
Next by Date: RE: [Full-Disclosure] Erasing a hard disk easily
Previous by thread: Re: [Full-Disclosure] Is Mozilla's "patch" enough?
Next by thread: [Full-Disclosure] Firefox 0.92 DoS via TinyBMP
Index(es):
- Date
- Thread