iEntry 10th Anniversary
RSS
Newsletter
Advertising
It probably hasn't been a fun week over at the Firefox team: News.com: Coding misstep forces new Firefox release.
Links: Coding misstep forces new Firefox release
Mark Pilgrim, over on the MozDev mailing list reports on a Greasemonkey/Firefox security hole:
"This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully "GET" any world-readable file on your local computer."
http://diveintogreasemonkey.org/experiments/localfile-leak.html returns the contents of c:boot.ini, which exists on most modern Windows systems.
But wait, it gets worse. An attacker doesn't even need to know the exact filename, since "GET"ting a URL like "file:///c:/" will return a parseable directory listing. (And Mac users don't get to gloat either; you're just as vulnerable, starting with a different root URL.)
Be careful out there!
Robert Scoble is the founder of the Scobleizer blog. He works as PodTech.net's Vice President of Media Development. Go to Scobleizer ...
Publish A Comment
-
What Makes a Quality URL?
In setting up a website, the URL is one of the most important... -
Getting Noticed with Google Maps
Are you utilizing Google Maps? If not, you could be hurting your... -
Gray Areas of FTC Guidelines
Although the FTC's new advertising guidelines are scheduled to go...
     |