- Status Closed
- Percent Complete
- Task Type Security Issue
- Category Any
-
Assigned To
g4jc - Operating System All
- Severity Critical
- Priority Very High
- Reported Version Any
- Due in Version Starfix
-
Due Date
Undecided
- Votes
- Private
Attached to Project: Packages
Opened by bugmen0t - 10/09/2018
Last edited by Emulatorman - 13/09/2018
Opened by bugmen0t - 10/09/2018
Last edited by Emulatorman - 13/09/2018
FS#1171 - [iceweasel-uxp-noscript] Zero-day bypass and script execution
Description:
NoScript zero-day allows script execution even with scripts blocked by default.
https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/
https://twitter.com/ma1/status/1039163003034324992
Additional info:
* package version(s) < 5.1.8.7
Steps to reproduce:
Set the Content-Type of your html/js page to “text/html;json” and enjoy full JS pwnage”
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
This has been fixed, just needs to be packaged. You can try the fixed addon here: https://repo.hyperbola.info:50000/other/iceweasel-uxp/addons/noscript/