The second flaw is a vulnerability in the phishing filter. By adding a second “/” after the domain, the phishing filter will not catch it. So www.pcper.com/evil would be caught and www.pcper.com//evil would not. I would suggest getting spoofstick and upping the maxversion value to be compatible with Firefox 2.
If you are unsure how to … download the Firefox version of Spoofstick with Internet Explorer so you get an .XPI file. Open that .XPI file with your favorite compression software. View the install.rdf with Notepad and look for the “<em:maxVersion>1.6a2</em:maxVersion>” line. Bump the value up to 220.127.116.11 or 3.0 or whatever version takes your fancy, as long as it is at least as high as your version of Firefox. Close the file archive, saving changes and the updating the archive.
Now you are running Spoofstick again. Although this method will work with every extension, I can’t guarantee it won’t break them or Firefox … except this one, as I have been using it for months with no issue.
“A security company has reported two new flaws in the Mozilla Firefox browser that may leave locally saved files vulnerable to outside attacks.
Both flaws were announced by SecuriTeam, a division of Beyond Security, this week. The first flaw lies in Firefox’s pop-up blocker feature, according to a SecuriTeam statement on Monday. The browser typically does not allow Web sites to access files that are stored locally, according to the official report, but this URL permission check is superseded when a Firefox user has turned off pop-up windows manually. As a result, an attacker could use this flaw to steal locally stored files and personal information that might be stored in them.”
Here is some more Tech News from around the web:
- Wi-Fi Penetration Tester In Your Pocket @ Slashdot
- Windows Vista Upgrade Frustrations @ ExtremeTech
- PCI-SIG completes PCIe External Cabling 1.0 specification @ DigiTimes
- Windows Vista Week 2: The Week of FUD @ Digital Trends
- Panasonic HDC-SD1 Review @ Digital Trends
- Google opens Gmail to all @ CNET