Google
  Web www.spinics.net

[Bug 238616] CVE-2007-2381: MochiKit javascript hijacking vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2007-2381: MochiKit javascript hijacking vulnerability


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=238616


icon@xxxxxxxxxxxxxxxxx changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |CLOSED
         Resolution|                            |CANTFIX




------- Additional Comments From icon@xxxxxxxxxxxxxxxxx  2007-05-01 17:04 EST -------
Upstream sez (http://groups.google.com/group/mochikit/t/e473d15b0e689054):

> Will there be a fix for http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2381
> in the 1.3.1 branch?

Nope. It's not a real security issue, not with MochiKit anyway. The
recommended "fix" would mean supporting some junk that's not JSON
anymore. I've already caved and put said support on the trunk just so
people would shut up about the issue, but I'm certainly not going to
make a maintenance release to "fix" this non-issue.

Ensuring that your server only sends JSON when properly authenticated,
or otherwise sending only non-exploitable JSON (e.g. JSON with an
object envelope) is the only solution to this problem.

Only a very small subset of JSON, specifically [array, envelope, json]
is susceptible to this data leakage attack. Don't send that stuff on
the server-side, and there is no problem. Most people don't send array
envelope JSON anyhow. Either way, totally irrelevant to the
client-side. It's like saying that we should fix browsers so that they
can't be used to mount a SQL injection attack on a poorly written
service.

-bob

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list

[Home]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Red Hat 9 Bible]     [Fedora Bible]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Coolkey]     [Fedora Tools]

Powered by Linux

Google
  Web www.spinics.net