New Firefox cookie vulnerability, workaround
Security researcher/hacker, Michal Zalewski has released a report on a security vulnerability affecting Firefox 2.0.0.1 and possibly earlier versions. The vulnerability could allow a malicious web site to impersonate an authentic one and set a cookie on its behalf. This could be used to perform cross-window and cross-frame attacks compromising personal information exchanged via Ajax. Zalewski has released a test case that demonstrate the vulnerability.
It has already been filed to Bugzilla for its resolution. In the meantime, Zalewski recommends this workaround:
- Enter about:config in the location bar to access Firefox’s advanced preferences
- Right click on any preference and select New>String
- Enter capability.policy.default.Location.hostname.set for the preference name
- Enter noAccess for the preference value
- Restart Firefox
It’s still unknown if this will be fixed in upcoming 2.0.0.2 (due by the end of February) but it’s most likely it won’t. You can read the original report here.
Comments
ericsk’s blog » Firefox 2.0.0.1 的安全æ¼æ´ž
[...] Firefox 2.0.0.1 被發ç¾æœ‰å®‰å…¨ä¸Šçš„æ¼æ´žï¼šNew Firefox cookie vulnerability, workaroundï¼Œä»¥åŠ Bug report:Zalewski cookie setting / same-domain bypass [...]
JS
I have added this item in about:config and used the test site to see if it worked. Says I’m ok but I cannot see it in about:config. Does it hide itself, can it be removed if its proved troublesome?
Thanks
JS
JS
Also if I add it to Prefs.js with Firefox closed firefox removes the line when I launch it. Is NoScript doing this?
Percy Cabello
I noticed that the new preference is not listed in about:config after adding it during my tests but forgot to mentioned it in the article. However I see it in my prefs.js file and I could remove it from there at any time if necessary.
Haven’t tried it with NoScript installed though.
幻想的世界
Firefox 2.0.0.1 安全性æ¼æ´ž
今天在 Mozilla Taiwan è¨Žè«–å€ ç™¼ç¾äº†é€™å€‹æ¼æ´žçš„消æ¯ã€‚這æ¼æ´žä¸»è¦æ˜¯å› ç‚ºå° DOM ( Document Object Model ) çš„ “location.hostname” 屬性的處ç†ä¸ç•¶ï¼Œä»¥è‡´æ–¼æƒ¡æ„的網站,有機會å¯ä»¥å–得其他網站的 Co…
Firefox 2.0.0.1 安全æ¼æ´ž at Gea-Suan Lin’s BLOG
[...] Firefox 2.0.0.1 å› ç‚ºå° DOM 的處ç†ä¸ç•¶é€ æˆ Cookie 外æ¼ä»¥åŠå…¶ä»–的安全æ¼æ´žï¼šNew Firefox cookie vulnerability, workaround,Bug Report 在 Bugzilla@Mozilla çš„ Zalewski cookie setting / same-domain bypass [...]