Package: firefox Version: 1.5.dfsg+1.5.0.6-1 Severity: important Tags: security
The location bar can be spoofed, which means that the "yellow URL input field on TLS" security feature is useless. To reproduce this, visit http://www.national.com.au/ and click on first "Login" link at the upper right (under the "Internet Banking" caption). A new browser window opens, but it lacks the location bar. This means that it can be mimicked using JavaScript. This behavior can be cchanged in the Firefox registry (via dom.disable_window_open_feature.location and perhaps others as well), but the default ist definitely wrong. -- Florian Weimer <[EMAIL PROTECTED]> BFK edv-consulting GmbH http://www.bfk.de/ Durlacher Allee 47 tel: +49-721-96201-1 D-76131 Karlsruhe fax: +49-721-96201-99 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]