Comments on: Safari beta zero day

By: Gareth Heyes

Gareth Heyes — Sat, 06 Oct 2007 23:01:42 +0000

Luke I’m not sure if Firefox 2.0.0.7 is vulnerable, the POC should display an alert box with the source and cookies from the Amazon domain, when I tired it in Firefox this did not work.

By: luke

luke — Sat, 06 Oct 2007 19:01:00 +0000

Firefox 2.0.0.7 is also vulnerable

By: thorin

thorin — Wed, 03 Oct 2007 12:50:14 +0000

@Wez

It’s not that they said it wasn’t a bug it’s that they said it wasn’t a security issue.

By: Wez Furlong

Wez Furlong — Fri, 17 Aug 2007 18:57:56 +0000

and perhaps I should clean my glasses, because I missed the part where apple said it wasn’t a bug…
Ignore my previous comment

By: Wez Furlong

Wez Furlong — Fri, 17 Aug 2007 18:53:24 +0000

With software products that are shipped to the end-user, beta status means that there are problems, known or otherwise and the beta tester expects to run into problems, and expects to have to wait for a new beta release to correct them, even if they are super critical bugs.

It’s great that you filed a bug, but you can’t expect fixes in beta releases on your schedule.

When they go gold, it had better be fixed, of course. But until then, you need to set your expectations correctly–and it I think that you can blame Web2.0 perpetual beta services for your misconception about beta software products.

By: Ronald

Ronald — Fri, 17 Aug 2007 17:03:23 +0000

BTW: MSIE did have it, but they disabled it in MSIE 7, which was a wise choice. And yes Mozilla is walking behind the facts again.

By: Ronald

Ronald — Fri, 17 Aug 2007 16:58:19 +0000

No it’s Netscape only (strictly) I’m sure some freaks have ported it, but that’s not the point.

Well, it’s tough to read it remotely, but I figured it might divert some filters in Mozilla when I was playing with the chrome. I can access certain sensitive files in Firefox, like preferences but Now I need to figure out how to catch the stuff.

Still is, it works locally. And you don’t need any privileges to read stuff. So it could be used to read files where you would not have access.

By: Gareth Heyes

Gareth Heyes — Fri, 17 Aug 2007 13:55:35 +0000

It doesn’t work in Safari, it seems to be a Firefox feature. Lol if you’re browsing as root then you deserve everything you get

Yep I think there is scope for a problem with Firefox, I’d watch Ronald’s blog for updates.

By: Kae Verens

Kae Verens — Fri, 17 Aug 2007 13:36:20 +0000

interesting… in Linux, Firefox (haven’t got Safari) try this:
view-source:file:///etc/passwd

or if you’re root,
view-source:file:///etc/shadow
(of course, no-one would ever browse as root )

By: Gareth Heyes

Gareth Heyes — Fri, 17 Aug 2007 13:04:06 +0000

I’m sure there’s something to that:-
view-source:chrome://global/locale/config.dtd

But you would have to access the xml from the iframe in order to use it.