Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-2381: MochiKit javascript hijacking vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=238616 icon@xxxxxxxxxxxxxxxxx changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |CANTFIX ------- Additional Comments From icon@xxxxxxxxxxxxxxxxx 2007-05-01 17:04 EST ------- Upstream sez (http://groups.google.com/group/mochikit/t/e473d15b0e689054): > Will there be a fix for http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2381 > in the 1.3.1 branch? Nope. It's not a real security issue, not with MochiKit anyway. The recommended "fix" would mean supporting some junk that's not JSON anymore. I've already caved and put said support on the trunk just so people would shut up about the issue, but I'm certainly not going to make a maintenance release to "fix" this non-issue. Ensuring that your server only sends JSON when properly authenticated, or otherwise sending only non-exploitable JSON (e.g. JSON with an object envelope) is the only solution to this problem. Only a very small subset of JSON, specifically [array, envelope, json] is susceptible to this data leakage attack. Don't send that stuff on the server-side, and there is no problem. Most people don't send array envelope JSON anyhow. Either way, totally irrelevant to the client-side. It's like saying that we should fix browsers so that they can't be used to mount a SQL injection attack on a poorly written service. -bob -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
