faking of whole browser interface possible... http://www.nd.edu/~jsmith30/xul/test/spoof.html
Neat :) Waiting for upstream to fix bug We should probably release a single GLSA with bug 57380.
Mozilla is affected, too. Here's the advisory: http://secunia.com/advisories/12188/
Mozilla 1.7.2 and Firefox 0.9.3 are released, closing http://bugzilla.mozilla.org/buglist.cgi?bug_id=251381,249004,250906,253121, which includes a fix for Bug 57380, too.
Using bug 59419 as a metabug.
thunderbird is finished. mozilla and firefox are still in the works. In the case of mozilla enough things have changed that it wasn't a simple bump (at least one patch of ours no longer applies). In the case of firefox it doesn't even build out of the box; they apparently left some files out of the distribution. Stay tuned...
Sorry, I meant to post that update to bug 59419
Not sure that the XUL overlay thingy (http://bugzilla.mozilla.org/show_bug.cgi?id=22183) which this bug is about is fixed in 1.7.2 / 0.9.3. In which case this bug is not linked to the 1.7.2-fixes metabug.
Confirming, this is still present, at least in Firefox 0.9.3. This is CAN-2004-0764. Unlinking from 1.7.2 / 0.9.3 metabug as it is *not* fixed yet.
Sorry, somehow implied that this vulnerabilty would be fixed too. :-/
CondorDes : please follow upstream : http://bugzilla.mozilla.org/show_bug.cgi?id=22183 and tell us when it lands.
This bug is at least addressed in the 1.0PR release of firefox. From the bug report it looks like they are forcing the status bar and putting documentation in firefox.js. From the firefox.js file: // Make the status bar reliably present and unaffected by pages pref("dom.disable_window_open_feature.status", true); // This is the pref to control the location bar, change this to true to // force this instead of or in addition to the statusbar - this makes // the origin of popup windows more obvious to avoid spoofing but we // cannot do it by default because it affects UE for web applications. pref("dom.disable_window_open_feature.location", false); pref("dom.disable_window_status_change", true); These prefs should give the user a warning about spoofed sites. That said, the test site gives me a XML Parsing Error with Firefox 1.0PR, so I can't verify.
See bug #66084 and http://www.mozilla.org/press/mozilla-2004-10-01-02.html
Erm sorry, that vulnerability has nothing to do with this one. But, 0.10.1 is released, and mozilla's bug for this issue is still open.
Bug is still open upstream, so I think it's not in Firefox 1.0
The bug is still open upstream, but there are no proof of concepts for firefox 1.0, as it is "much harder to spoof". I don't see this issue as being a threat anymore... does anyone have any reasons why this bug should stay open?
I agree that in the current state of affairs, this is hardly a vulnerability and that we could close this.
Closing... This issue is hardly a threat anymore, let alone a vulnerability. If anyone has any good reason to keep this bug open, please do so.. but until then, it's closed.
