Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: JAR: protocol vulnerability in Firefox, word processing applications reported



> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of Juha-Matti Laurio
> Sent: Friday, November 09, 2007 3:17 AM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] JAR: protocol vulnerability in
> Firefox, word processing applications reported
>
> An unpatched vulnerability in handling of JAR: protocol
> handler URL's has been reported recently.
>
> Information is available at GNUCITIZEN Blog via entry "Web
> Mayhem: Firefox's JAR Protocol Issues".
>
> Information was publicly disclosed by Petko D Petkov (aka pdp).
> The issue was originally reported in Bugzilla document
> #369814 by Jesse Ruderman of Mozilla community.
> I.e. it's worth of mentioning that Mozilla security group is
> aware of the vulnerability.
>
> Shortly: the vulnerability is due to same origin and XSS
> issues when opening .JAR packages.
> The following file formats are known attack vectors: .zip,
> .doc, and .odt.
> Information about OpenOffice.org and MS Office via pdp's post.
>
> References:
> http://www.gnucitizen.org/blog/web-mayhem-firefoxs-jar-protocol-issues
> http://blogs.securiteam.com/index.php/archives/1033
>
> - Juha-Matti
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



 




Copyright © Lexa Software, 1996-2009.