There's a new bug reported in the way Firefox handles writes to the 'location.hostname' DOM property. The vulnerability could potentially allow a malicious website to manipulate the authentication cookies for a third-party site. The bug was submitted by Michal Zalewski and was tested with the current version of Firefox.
The bug could allow for the browser to appear as if were connecting to a bank, when in fact it would instead be receiving data from a bad guy.A demo of the vulnerability and a suggested work-around can be found here.
Oh, no! I hope it's fixed quickly.
When I tested FF the noscript extension stopped the test site.
I then allowed the test site and I was supposedly vulnerable so I implemented the "about:config" setting and that seemed to fix it.
I then allowed the test site and I was supposedly vulnerable so I implemented the "about:config" setting and that seemed to fix it.
Ditto, the fix works for me too in the interim. I wonder though if/when Mozilla fixes it if we'll have to remove the fix.
Ditto, the fix works for me too in the interim. I wonder though if/when Mozilla fixes it if we'll have to remove the fix.
With it being a Mozilla suggested fix I wouldn't think so (wouldn't be surprised if the official fix just does the same thing)
There's a new bug reported in the way Firefox...
Thanks I've fixed mine
Thanks I've fixed mine
Dito
I fixed mine too, but now www.howardforums.com will not load for me. Is this happening to anyone else?
Howards Forum is loading OK here.
In case the test site for the fix can't be accessed.
An interim workaround suggested by Firefox developers is to Open Firefox, go to the Address Bar and type: about:config
Then right-click anywhere on the page to add a new string key: capability.policy.default.Location.hostname.set
Set its value to noAccess
Working fine here too.
Works here as well.
God isn't that site weird? One guy on there has over 7500 posts, all about mobile phones!
The words Get and Life spring to mind.