[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception

Subject: Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception
From: exon <exon@xxxxxxx>
Date: Mon, 29 Nov 2004 10:24:24 +0100

Jose Nazario wrote:

On Thu, 25 Nov 2004, Heikki Toivonen wrote:

3. Either login if you already have an account, or click "create new
account". Let's assume we need to create a new account...
4. Type in a valid email address and click "Create Account"
5. [mail] Read email that was sent to the address to get password
6. back on in the browser, click "log in here"
7. fill in your username and password and click "login"

[snip the rest of useful info on how to post good, healthy, actionable bug
reports]

requiring someone to register to post a bug is harmful in the sense that
you wind up turning off peopl ewho simply can't be bothered to fill out
that info or wish to remain anonymous.

Hence the security@xxxxxxxxxxx address.

If you are anxious to get the bug fixed you have the option of filling out the form and thereby making yourself available for further questions, getting email with bug updates and the ability to submit coredumps and whatnot.

If you're not so anxious you can simply send in an email and be content with having let them know about it. Firefox still has the benefit of running on a multitude of platforms and architectures. Someone trying to exploit a vulnerability in it (as opposed to just crashing it) would have to know both to be successful.

while i definitely see the benefit
of forcing registration or even wanting it, i bet you'e losing more bug
reports than you care to imagine this way.

Perhaps the problem lies in the fact that the mozilla coders want people to use the forum so they don't promote the security@xxxxxxxxxxx mail address enough?

benefits of forcing/encouraging registration include:
        - garaunteed line of followup
        - reduced spam quantities in bugzilla
        - at leasta cutofof "i care enough to ..."

still, you're losing more than you may expect. i know i've failed to file
bug reports (non-security related) for mozilla products due to this "speed
bump". the security@ route is useful, and i'm glad you pointed it out.
this point should be considered by anyone who runs a bug reporting page
for open submissions, you may be doing more harm than benefit.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception
  - From: Berend-Jan Wever
- Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception
  - From: Heikki Toivonen
- Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception
  - From: Jose Nazario

Prev by Date: [Full-Disclosure] Password Disclosure for SMB Shares in KDE's Konqueror
Next by Date: [Full-Disclosure] Is www.sco.com hacked?
Previous by thread: Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception
Next by thread: Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception
Index(es):
- Date
- Thread