Comments on: More 0day in Firebug http://larholm.com/2007/04/06/more-0day-in-firebug/ Me, myself and I Wed, 19 Nov 2008 11:55:50 +0000 http://wordpress.org/?v=2.6.2 By: Scriptorama.nl » Maand van de problemen met browsers http://larholm.com/2007/04/06/more-0day-in-firebug/#comment-37 Scriptorama.nl » Maand van de problemen met browsers Thu, 31 May 2007 06:38:48 +0000 http://test.larholm.com/?p=8#comment-37 [...] maar met Firebug kom je lokaal in elk geval iets teveel info tegen. Combineer dat met de problemen die Firebug heeft gehad (en mensen die mogelijk nog die oude versie draaien) en dan is het toch zaak dat dat snel opgelost [...] [...] maar met Firebug kom je lokaal in elk geval iets teveel info tegen. Combineer dat met de problemen die Firebug heeft gehad (en mensen die mogelijk nog die oude versie draaien) en dan is het toch zaak dat dat snel opgelost [...]

]]> By: LimCore http://larholm.com/2007/04/06/more-0day-in-firebug/#comment-36 LimCore Tue, 22 May 2007 12:30:04 +0000 http://test.larholm.com/?p=8#comment-36 I wonder will there be things like friefox internal firewall and antiviruses. Perhaps even ASL(access control list)/RBAC. To audit chrome contexts and so on. I wonder will there be things like friefox internal firewall and antiviruses.

Perhaps even ASL(access control list)/RBAC.

To audit chrome contexts and so on.

]]> By: New Start http://larholm.com/2007/04/06/more-0day-in-firebug/#comment-32 New Start Mon, 30 Apr 2007 05:47:29 +0000 http://test.larholm.com/?p=8#comment-32 <strong>Firebug Goes Evil(firebug1.0.3之前的安全隐患)...</strong> firebug存在严重安全隐患... Firebug Goes Evil(firebug1.0.3之前的安全隐患)…

firebug存在严重安全隐患…

]]> By: Joe Hewitt http://larholm.com/2007/04/06/more-0day-in-firebug/#comment-30 Joe Hewitt Fri, 06 Apr 2007 02:44:22 +0000 http://test.larholm.com/?p=8#comment-30 I have fixed this issue and and released 1.04. As you suggested, I now escape all text before inserting it into HTML, rather than leaving it up to the caller. I've also added support for disabling file: urls. I hope there aren't any more vulnerabilities to be found, but if there are, please give me a day to patch it before you publish. I do appreciate you taking the time to make Firebug more secure, but it's better for everyone to have the patch surface before the exploit. It is a good think that Firefox has an automatic update system, so every Firebug user should be secured within a few days. I have fixed this issue and and released 1.04.

As you suggested, I now escape all text before inserting it into HTML, rather than leaving it up to the caller. I’ve also added support for disabling file: urls.

I hope there aren’t any more vulnerabilities to be found, but if there are, please give me a day to patch it before you publish. I do appreciate you taking the time to make Firebug more secure, but it’s better for everyone to have the patch surface before the exploit.

It is a good think that Firefox has an automatic update system, so every Firebug user should be secured within a few days.

]]>