Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerabilit

bugtraq

Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerabilit

To:	"pdp (architect)" <pdp.gnucitizen@googlemail.com>
Subject:	Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability
From:	Michal Zalewski <lcamtuf@dione.ids.pl>
Date:	Thu, 22 Feb 2007 01:50:27 +0100 (CET)
Cc:	bugtraq@securityfocus.com, security@mozilla.org, full-disclosure@lists.grok.org.uk
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	bugtraq-list@securepoint.com
Delivered-to:	mailing list bugtraq@securityfocus.com
Delivered-to:	moderator for bugtraq@securityfocus.com
In-reply-to:	<6905b1570702211617k183d9260i9e00ed6f80accd73@mail.gmail.com>
List-help:	<mailto:bugtraq-help@securityfocus.com>
List-id:	<bugtraq.list-id.securityfocus.com>
List-post:	<mailto:bugtraq@securityfocus.com>
List-subscribe:	<mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list:	contact bugtraq-help@securityfocus.com; run by ezmlm
References:	<Pine.LNX.4.58.0702220046430.6282@dione> <6905b1570702211617k183d9260i9e00ed6f80accd73@mail.gmail.com>

On Thu, 22 Feb 2007, pdp (architect) wrote:

> michal, is that a feature or a bug? maybe it is not obivous to me what
> you are doing but it i feel that it is almost like asking the user to
> bookmark a bookmarklet.

Bookmarklets should be bookmarkable only manually, with user knowledge and
consent (that is, you need to copy-and-paste the URL, etc). This seems to
be the case for javascript: URLs.

Here, the situation is different: the user can, and quite likely will,
unknowingly bookmark a script while attempting to bookmark a regular page
via Ctrl-D + <return>. He doesn't expect or want this code to later run in
the context of his start page or any other resource (principle of least
astonishment, etc, etc).

Cheers,
/mz

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Firefox bookmark cross-domain surfing vulnerability, Michal Zalewski Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability, pdp (architect) Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability, Michal Zalewski <= Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability, pdp (architect) Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability, Michal Zalewski Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability, pdp (architect) Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability, Daniel Veditz

Previous by Date:	Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak, 3APA3A
Next by Date:	OWASP JBroFuzz 0.5 Fuzzer Released!, subere
Previous by Thread:	Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability, pdp (architect)
Next by Thread:	Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability, pdp (architect)
Indexes:	[Date] [Thread] [Top] [All Lists]