Re: Fwd: New possible scam method : forged websites using XUL (Firefox)

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: Fwd: New possible scam method : forged websites using XUL (Firefox)
From: Barry Fitzgerald <bkfsec@xxxxxxxxxxxxxxxx>
Date: Tue, 03 Aug 2004 13:03:41 -0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <410FA2D3.4030306@xxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20040802131549.3978.qmail@xxxxxxxxxxxxxxxxxxxxx> <410FA2D3.4030306@xxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616

Below is my message to bugtraq regarding the Mozilla XUL forgeryadvisory. Please note that my post was rejected from bugtraq becausethe moderator claimed openly that the "the Mozilla developers show howamazingly out of touch they are" (his words) indicating that my messagewas not relevent while the previous one, according to them, was.

I'd like to continue discussion of this issue -- and will be forced todo so in the free venue of Full Disclosure since securityfocus' bugtraqhas shown itself to now be utterly useless.


         -Barry

note: My point is that it's a security issue, but not a vulnerability ofthe code execution type, and thus not comparable to the timeframe ittook to fix IE's latest flaws. It was also not "swept under the rug" asit's discussion was on a public resource. Appearently, bugtraq'smoderators think it's OK to blindly attack Mozilla but not OK to try toclearify the issue. Nice move, showing your true colors like this.




Barry Fitzgerald wrote:

Justin Polazzo wrote:
5 Years to fix a vuln? I am not sure if even Microsoft has been thatslow to confront a security flaw. Has anyone heard an explanation asto why this was kept confidential and swept under the rug until now?
BTW: Thank you Mr. Smith for an excellent page.
Sounds to me like sensationalist hyperbole more than it does that thiswas "kept confidential". (I hardly call bugzilla confidential.)
This is not a vulnerability. This is an interface option that can beused to carry out a forgery. The same can be done using the IMG tag.Since I can use another company's logo on my "forged" site using theIMG tag, are you then going to ask why it took the w3c over a decadeto remove the IMG tag vulnerability?
Give me a break...

      -Barry
p.s. Don't get me wrong, this is a security issue that should befixed. At the very least, it should be possible to disable XUL orlimit it's usage. However, comparing this to the recent IEvulnerabilities is poor judgement to say the least.

References:
- Re: Fwd: New possible scam method : forged websites using XUL (Firefox)
  - From: Justin Polazzo

Prev by Date: SoX Exploiter by Rosiello Security
Next by Date: EXPLOIT for Re: [VSA0402] OpenFTPD format string vulnerability
Previous by thread: Re: Fwd: New possible scam method : forged websites using XUL (Firefox)
Next by thread: Re: Fwd: New possible scam method : forged websites using XUL (Firefox)
Index(es):
- Date
- Thread