Firefox Spoofing Bug Puts Passwords At Risk

hairyfeet writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs, has revealed a Firefox spoofing vulnerability which could allow identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the 'Realm' value of an authentication header. Raff was quoted as saying 'This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site.' This vulnerability was shown to be in the latest Firefox, version 2.0.0.11 and until Mozilla fixes this vulnerability Mr. Raff recommends in his blog 'not to provide username and password to Web sites which show this dialog.'"

Oh, let us mine furor!

The new Mitt Romney campaign ad is a total hoot:
http://www.youtube.com/watch?v=Af1OxkFOK18

Re:Oh, let us mine furor!

Looks somehow...different...botox?

Injection Vulnerabilities

[RAMMS+EIN]

Sometimes, injection vulnerabilities make me laugh. I mean, how difficult can it be to just put a string in another string?

Not very difficult, obviously.

And, honestly, it _isn't_ very difficult. It's only when you then go and interpret the resulting string as code that weird things start to happen. The solution is simple: don't treat strings as code. In Lisp, for example, the more natural way to compose the code would be to use list construction instead of string concatenation. That way, you can put whatever you want in the string, but it will never be excuted as code.

But then, of course, everybody loathes Lisp. And smug Lisp weenies. So I'll get modded down. On the other hand, I said I would get modded down, so I'll probably get modded up.

Re:An honest Security Bug

Lexuses are Toyotas.

Patch available for download...

... in 3 .... 2 ....