Comments on: Firefoxurl URI Handler Flaw http://xs-sniper.com/blog/2007/07/17/firefoxurl-uri-handler-flaw/ Thoughts on Security in an Uncivilized World… Fri, 13 Nov 2009 09:32:59 -0700 http://wordpress.org/?v=2.9.1 hourly 1 By: J a C k N e w s » Blog Archive » Top Tep Web Hacks of 2007 http://xs-sniper.com/blog/2007/07/17/firefoxurl-uri-handler-flaw/comment-page-1/#comment-265 J a C k N e w s » Blog Archive » Top Tep Web Hacks of 2007 Thu, 31 Jan 2008 15:11:57 +0000 http://xs-sniper.com/blog/2007/07/17/firefoxurl-uri-handler-flaw/#comment-265 [...] Firefoxurl URI Handler Flaw [...] [...] Firefoxurl URI Handler Flaw [...]

]]> By: neobe’s Blog - Actualités Stockage et Sécurité » Blog Archive » Le top 10 des hacks "web" 2007 http://xs-sniper.com/blog/2007/07/17/firefoxurl-uri-handler-flaw/comment-page-1/#comment-263 neobe’s Blog - Actualités Stockage et Sécurité » Blog Archive » Le top 10 des hacks "web" 2007 Tue, 29 Jan 2008 11:27:13 +0000 http://xs-sniper.com/blog/2007/07/17/firefoxurl-uri-handler-flaw/#comment-263 [...] Problème de gestion des URI dans Firefox [...] [...] Problème de gestion des URI dans Firefox [...]

]]> By: Joseph Brenner http://xs-sniper.com/blog/2007/07/17/firefoxurl-uri-handler-flaw/comment-page-1/#comment-73 Joseph Brenner Thu, 16 Aug 2007 19:26:22 +0000 http://xs-sniper.com/blog/2007/07/17/firefoxurl-uri-handler-flaw/#comment-73 This is just a windows-only problem, isn't it? (Isn't it worth mentioning these things? Firefox does indeed run on other platforms, you know.) This is just a windows-only problem, isn’t it?
(Isn’t it worth mentioning these things? Firefox does indeed run on other platforms, you know.)

]]> By: Nathan McFeters http://xs-sniper.com/blog/2007/07/17/firefoxurl-uri-handler-flaw/comment-page-1/#comment-4 Nathan McFeters Sat, 21 Jul 2007 05:26:25 +0000 http://xs-sniper.com/blog/2007/07/17/firefoxurl-uri-handler-flaw/#comment-4 Yes, I think that the final paragraph here is the real crux of the issue. Everyone's pointing fingers, asking who's fault it is. It's everyones. Two things here: 1.) IE and other browsers which don't properly sanitize what is sent thru the URI's to back-end applications (and IE is not the only one), putting users at risk to command line argument injection and possibly worse. 2.) Application developers CHOOSE to create their own URI's for whatever purposes they intend them for. I've been trying to figure out reasons why developers use them, seems quite a mix... installation, registration, interaction, etc. BUT the main point is that the developers have CHOSEN to FORCE IE to pass data to their applications thru URI's. This is especially damning for applications that have switches that provide a lot of functionality, like FireFox and Netscape Navigator's -chrome flag for instance. Let's just everyone keep pointing fingers and we'll see where the blame lies after DEFCON. Otherwise, let's get to cracking and fix these bugs and be responsible about the choices we make when programming our applications. Let's get one thing straight, Microsoft didn't FORCE anyone to use URI's. Yes, I think that the final paragraph here is the real crux of the issue. Everyone’s pointing fingers, asking who’s fault it is. It’s everyones. Two things here:

1.) IE and other browsers which don’t properly sanitize what is sent thru the URI’s to back-end applications (and IE is not the only one), putting users at risk to command line argument injection and possibly worse.
2.) Application developers CHOOSE to create their own URI’s for whatever purposes they intend them for. I’ve been trying to figure out reasons why developers use them, seems quite a mix… installation, registration, interaction, etc. BUT the main point is that the developers have CHOSEN to FORCE IE to pass data to their applications thru URI’s. This is especially damning for applications that have switches that provide a lot of functionality, like FireFox and Netscape Navigator’s -chrome flag for instance.

Let’s just everyone keep pointing fingers and we’ll see where the blame lies after DEFCON. Otherwise, let’s get to cracking and fix these bugs and be responsible about the choices we make when programming our applications. Let’s get one thing straight, Microsoft didn’t FORCE anyone to use URI’s.

]]>