What is interesting is that the work around on that link says to set
network.enableIDN to false. I did a find for all.js, grepped the file,
and the brackets list false. It didn't say anything about true on that
line. I read this post and used the about:config and it shows true. I
set it to off as to your advise and low and behold it fixed the
exploit. I just checked that file again and it still says false. So
this setting must be made elsewhere.
Thanks for the instruction...
Larry
On Mon, 2005-02-07 at 18:56, 404 wrote:
> On Mon, 2005-02-07 at 18:35, 404 wrote:
> > This is pretty shocking, a new URL spool vuln that does not include IE!
> >
> > http://www.shmoo.com/idn/homograph.txt
>
> Simple workaround/fix:
>
> 1) Goto your Firefox address bar. Enter about:config and press enter.
> Firefox will load the (large!) config page.
>
> 2) Scroll down to the line beginning network.enableIDN -- this is
> International Domain Name support, and it is causing the problem here.
> We want to turn this off -- for now. Ideally we want to support
> international domain names, but not with this problem.
>
> 3) Double-click the network.enableIDN label, and Firefox will show a
> dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You
> are done.
>
> 4) Go check out the shmoo demo again and notice it no longer works.
>
> I have heard that this fix does not work sometimes in the windoze
> versions of Firefox/Mozilla, it works just fine in the Linux versions...
>
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:44:28 EDT