severity 429052 important thanks Since upstream does not consider this a critical bug, I don't think we should either. Some sort of warning to the user would be good though, I agree. I could take iceweasel out of mailcap, but this might annoy more than this exploit is a threat. A stripping script would work I suppose, but would probably be surprising to the user.
Ccing pkg-mozilla-maintainer, do you guys have any opinions? * Vincent Lefevre ([EMAIL PROTECTED]) wrote: > Package: iceweasel > Version: 2.0.0.4-1 > Severity: grave > Tags: security > Justification: user security hole > > The default /etc/mailcap entry makes iceweasel to be called directly > to view HTML files with a "file://" URL. Due to Mozilla bug 230606 > (or 382637, on which the attached example is based), data readable > by the user can be sent to a remote web server. > > For instance, on my machine, after saving the attached mail file and > removing my personal ~/.mailcap file (to use Debian's): > > $ mutt -f exploit-file > > I type 'v', down, enter to view the attached exploit-file.html file > with Iceweasel. /var/log/apache2/error.log now contains: > > [Fri Jun 15 17:45:11 2007] [error] [client 127.0.0.1] File does not exist: > /var/www/vin > > This example just provides the hostname (value of /etc/hostname) to > the local web server, but one can provide more private information > (such as the contents of the user's .ssh/id_rsa or the contents of > /etc/passwd) to any remote web server (this needs a bit more JavaScript > to transform the data into a URL, though). > > A possible fix is to pass the data first to a wrapper that will clean > up the HTML file (i.e. remove scripts), or, if one wants to still have > the possibility to run scripts, store the file to some place where a > "http://localhost/..."; URL can be used (the user must have a local web > server installed). -- Eric Dorland <[EMAIL PROTECTED]> ICQ: #61138586, Jabber: [EMAIL PROTECTED] 1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6
signature.asc
Description: Digital signature
