Date:  Wed, 07 Aug 2002 07:45:39 -0400
From:  madodelatptdprolog.net
Subject:  [VOICENWS] SW: Security vulnerability in Mozilla

From: "FEEB" <spamtrapatchem.utoronto.ca> 


Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.0.0) Gecko/20020602 tested and
found vulnerable:


+ Overview:
~~~~~~~~~~~~~~~~~
Mozilla allows running Malicious Scripts due to a bug in 'FTP view'. If
you click on a malicious link, the script embedded in URL will run.

* If the ftp server and the http server are the same address, it is 
dangerous.   Because the cookie may be modified by the attacker.

 
 
+ Demonstration:
~~~~~~~~~~~~~~~~~
http://www.geocities.co.jp/SiliconValley/1667/advisory03e.html

 

Frank Bures, <spamtrapatchem.utoronto.ca>


[Moderator note: The site states the work around is "Use the latest
version of Mozilla 1.1 Beta or disable JavaScript."  I'm using a recent
nightly drop of Warpzilla so the exploit demonstration doesn't work for
me.  So I am passing this on without verification.] 

-- 

To unsubscribe yourself from this list, send the following message
to majormajoratos2voice.org

     unsubscribe news
     end

If you have an announcement you would like posted to the VOICE 
News list, please send it to submitatos2voice.org. Please include a 
valid reply address and a real contact name.  If you wish to comment
on this post, please reply to feedbackatos2voice.org