C5 : Firefox 38 Bug

Home » CentOS » C5 : Firefox 38 Bug
CentOS 66 Comments

I displayed, as a web page, a list of search results created in PHP, from MySQL.

Firefox prevents me looking at the web page’s source coding.

Right-click, view source, produces this display:-

“Document Expired
“This document is no longer available.
“The requested document is not available in Firefox’s cache.
” As a security precaution, Firefox does not automatically re-request sensitive documents.
” Click Try Again to re-request the document from the website.”

CTRL-U produces the same message.

The headers are:-




Quick Message – Search Facility






Removing the DocType makes no difference.

Clicking on the “Try Again” button produces this display:-



Quick Message – Search Facility






A candidate for upstream bugzilla ?

66 thoughts on - C5 : Firefox 38 Bug

  • Just for those who are the same upset with Mozilla firefox as I am (for about 6 years I was looking for firefox replacement, – fruitlessly mostly). Someone just recommended me a replacement, which I didn’t test long enough yet, but during last two weeks I’m using it, and it behaves
    (is stable, and has all featured one would expect from the browser today).

    https://www.vivaldi.com/

    Alas, it is not open source, but it is available (as precompiled binaries)
    for Linux (both rpm abd deb based installers), MacOX, and Windows. I can not use it on my FreeBSD workstation, – sigh (I probably will end up switching from firefox to midori on FreeBSD). When choosing Firefox replacement, I had really strong constraint on my side: “provided the browser is NOT google chrome”, as I have my reservations about google chrome which I don’t want to go into here.

    Mentioning in a hope this may help someone.

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • The most offensive problems of using browsers is that they do not tell you nor ask your permission when javascripts spy on your entire storage contents. I had asked a java developer at Sun Microsystems about what Sun means when it says that Java runs in a sandbox?
    Just what is the sandbox?
    I also asked if browsers that execute javascripts are retricted to this notion of a sandbox that does not leak out into the rest of the system.

    He said the “sandbox” is the entire storage on your computer.

    Enough said.

  • jd1008 wrote:

    Please note that java and javascript are two separate languages…. And I
    have noscript installed everywhere….

    mark

  • Huh? You’ve been misinformed. Certainly there have been exploits against browsers to bypass the sandbox, but this isn’t the default configuration in any browser I know of.

    Java != JavaScript. It’s a common misconception. Perhaps that’s why this java developer might have answered the way he did, although I’m fairly certain Java sandboxes can also be restricted (although I’m no Java developer) so they don’t have access to the entire storage of your computer. Certainly, simple UNIX permissions prevent both Java and browsers from getting access to the *entire* storage on your computer, unless they’re used to exploit some other vulnerability.

    If you’re concerned about JavaScript, I suggest looking into the NoScript firefox extension.

  • Mark, please be aware that noscript has also a whitelist that is not viewable by the user. The whitelist tab does NOT list the hidden white listed entries.

  • You mean the noscript.mandatory about:config entry? I looked at it on my computer and it wasn’t really web sites, just internal chrome URLs like “about:config”.

  • Let me guess: google, mozilla, …

    Please, tell me how wrong I am (who are actually whitelisted would be really good to know).

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • I’d certainly like to see proof of this claim.

    Are you sure you’re not thinking about Adblock Plus and its “bribe us and we’ll whitelist you” scheme?

  • I was just using that as an example of damaging javascripts. The current version of noscript no longer tells the number of javascrits that are blocked out of the total (per web site). In the older versions, I would dlete all entries in the visible whitelist, and would visit new websites. It would list some n javascripts blocked out of m scripts. Clicking on ‘options’ tab on bottom, I would not see the
    ‘allowed’ scripts listed.

  • Neither javascript nor Java applets can access the local filesystem. Applets launched by JNLP can do so, but that involves a pop-up that asks the user’s permission.

    Misunderstandings do happen in natural language.

  • Javascript can use CSS attributes to see if you’ve visited a specific URL, which is unfortunate, but that’s a long way from saying that your history is an open book. Javascript cannot directly access your history. A script cannot enumerate all of the sites you’ve visited, it can only test specific, complete URLs.

    As far as cookies go, you’re even further from the truth. A script can only access cookies whose domain matches the origin of the script.

  • So, you’re scaring people away from a privacy-enhancing tool with unprovable claims of a hidden whitelist? Which I can’t find in the javascript source of the XPI? Also, based on your conversations with someone who worked at a company that hasn’t existed since 2009?

    I get it, you’ve got some concerns about the security of the web model. But adjust your tin foil hat, you’re picking up Fox News on that thing.

    For the record, I use NoScript, Ghostery and uBlock, and am happy with the experience (for the most part).

    I also heavily use Firefox profiles, and only use a completely separate profile for certain operations, such as online banking. I’ve been playing with using the SELinux sandbox program too, but its just too convenient to be able to copy-paste into firefox, which sandbox blocks. I don’t use the same profile for Facebook (*sigh*, yeah) and just random browsing. I’m certain that a certain amount of private information leaks out when I’m browsing forums or catching up with the news, but unfortunately, that’s the tax you pay when you use the web.

    I’m fairly certain that io9.com isn’t reading /etc/shadow on my computer.

  • jd1008 wrote:

    This is not completely correct. I just went to my tab on google news, noscript, options, and removed google.content (or whatever it was).

    mark

  • NOP!!
    He stated NO misunderstanding. I think you are simply repeating you have learned NOT by actually knowing the code and implemetation the way the developer of the product knew it. Your info is both dated and part of the marketing blurbs.

    Question:
    2 marketing execs are talking with each other. Which one of them is lying?

    ANS:
    The one whose lips are moving.

  • You did not read my full message. You are using a recent incarnation of noscript which does not enumerate in a temprary line near the status bar about how many scripts are block out of a total.

    If you want to continue thinking all is well in noscript land, fine with me.

  • So the published security model of two different Free Software languages is flawed, and no security researchers are publishing that?

  • Speaking of privacy… I would recommend people to check out tor project:

    https://www.torproject.org/

    they have nice browser (codebase of which is Mozila Firefox, – they didn’t find better workhorse yet…). One privacy aspect that wasn’t mentioned here is you internet provider being able to see your traffic (destination at least) and analyze that. This is what tor project helps with. But other aspects are also well lit on their website, including what information you disclose yourself (often even not realizing that).

    I hope, this helps someone.

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • That site doesn’t say anything about Java or Javascript. Or cookies for that matter. You’re connecting unrelated things.

    There are flaws in software. It’s probably safe to say “all software”
    since we can’t really prove otherwise. Browsers are software. Software flaws in browsers may be used to cause the download and execution of malware. That is not, however, an indication that Java or Javascript
    “allow” access to the filesystem or cookies. They do not. At least, not any more than images do. Several browser bugs have allowed code execution as a result of malformed images. Do you also disable image rendering in your browser? The justification for both is the same: bugs might allow arbitrary execution of code.

    You’re connecting unrelated things.

  • I see nothing there but a list of the status of that specific domain, which google has analyzed from their spidering activity, there’s nothing there related to my web browser status or history or whatall.

    so whats your point?

    here’s what I got from that URL for reference:

    Safe Browsing

    /Diagnostic page for/googleusercontent.com

    *What is the current listing status for googleusercontent.com?*

    This site is not currently listed as suspicious.

    Part of this site was listed for suspicious activity 370 time(s)
    over the past 90 days.

    *What happened when Google visited this site?*

    Of the 4006663 pages we tested on the site over the past 90 days,
    3446 page(s) resulted in malicious software being downloaded and
    installed without user consent. The last time Google visited this
    site was on 2015-06-12, and the last time suspicious content was
    found on this site was on 2015-06-12.

    Malicious software includes 18440 exploit(s), 12470 trojan(s), 2399
    scripting exploit(s).

    Malicious software is hosted on 13 domain(s),
    includingpowerade.com.ar/
    < http://www.google.com/safebrowsing/diagnostic?site=powerade.com.ar/>,douglas.de/
    <
    http://www.google.com/safebrowsing/diagnostic?site=douglas.de/>,maxtraffic.com/
    <
    http://www.google.com/safebrowsing/diagnostic?site=maxtraffic.com/>.

    This site was hosted on 1 network(s) includingAS15169 (GOOGLE)
    <
    http://www.google.com/safebrowsing/diagnostic?site=AS:15169>.

    *Has this site acted as an intermediary resulting in further distribution of malware?*

    Over the past 90 days, googleusercontent.com appeared to function as
    an intermediary for the infection of 9 site(s)
    includingstartbusinesscoaching.com.au/
    <
    http://www.google.com/safebrowsing/diagnostic?site=startbusinesscoaching.com.au/>,crpcoutreach.blogspot.com/
    <
    http://www.google.com/safebrowsing/diagnostic?site=crpcoutreach.blogspot.com/>,businesscoachinstitute.com.au/
    <
    http://www.google.com/safebrowsing/diagnostic?site=businesscoachinstitute.com.au/>.

    *Has this site hosted malware?*

    Yes, this site has hosted malicious software over the past 90 days.
    It infected 1206 domain(s), includingv4download.com/
    <
    http://www.google.com/safebrowsing/diagnostic?site=v4download.com/>,vfastdownload.com/
    <
    http://www.google.com/safebrowsing/diagnostic?site=vfastdownload.com/>,downloadmee.com/
    <
    http://www.google.com/safebrowsing/diagnostic?site=downloadmee.com/>.

    *Next steps:*

    * Return to the previous page.
    <
    http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.com#>
    * If you are the owner of this web site, you can request a review of
    your site using GoogleWebmaster Tools
    <
    http://www.google.com/webmasters/tools/>. More information about
    the review process is available in Google’sWebmaster Help Center
    <
    http://www.google.com/support/webmasters/bin/answer.py?answerE432>.

  • Its technically true, however, XSS attacks can get around that restriction, which is why you saw so much malware posted on a site like googleusercontent.com. Sites that allow users to upload content are always being used to host malware for XSS attacks. But you still need to be visiting a site with the same domain as the cookie, and load a compromised page. Plus, if you use HttpOnly cookies, you have to go through even more complex XSS exploits to get at the cookie, since they aren’t accessible through the DOM model.

    But as designed, Cookies are meant only to be used by scripts from the same domain as the one that set the cookie.

  • No!! I am not connecting unrelated things. Noscript shows you the NAME (ostensibly the domain name from which it comes) of the javascript. Many websites and even internet providers push javascripts from other domains.

    But, feel free to allow it on all of your browsing.

  • I should add that the exploits are constantly being addressed by both Web Browser developers as well as developers of extensions like NoScript. Its an arms race.

  • I think this thread has reached the point where we can all agree that it isn’t really CentOS related anymore.

    I think we’re at the point where we’re beating a dead horse.

  • It is my understanding that Java and Javascript are different; that Java is dangerous whilst Javascript is (hopefully) harmless.

  • Not necessarily. Both of them are an execution of somebody’s else code on your computer. One (java) may be considered running with [much] more sophisticated interpreter. Another (javascript) by its nature has to be less sophisticated code, running with different interpreters written independently by each browser vendor (even though they all are javascript interpreters, the differ grossly).

    But the bottom line is the same: in both cases you are executing somebody’s else code on your computer.

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • In FF I use Ad Block Plus to block the world’s biggest spying operation, Google. Currently 11 Google sites from google-analytics.com to googleusercontent.com

    Aware Mozilla get vast millions of USD from Google, now probably exceeding $100m, I don’t use snooping and recording ‘safe browsing’ from Google either.

  • your computer is *ALWAYS* executing someone elses code, unless you wrote every line of code in it, including the BIOS and the firmware of all the attached devices.

  • As I already said, guys, do check tor project website:

    https://www.torproject.org/

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Indeed. What was never mentioned in this thread is a chain of trust. The level of trust to what you get from your system vendor, software vendors
    (be they open source or proprietary) may be quite different from the level of trust to what you get when clicking on some web link inside some search page, or on some website (even if you visit the website often).

    So, it is all about whom and what do you trust, and to what level can you afford to trust, and whether you are able to track the software code to the code origin.

    This all was what I implied when I said that short phrase which may look ridiculously if taken literally – exactly as you pointed out -, but may make sense if you take into account the chains of trust involved.

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • They’re as different as India and Indiana.

    That’s a pretty unsophisticated way to look at it.

    *Ideally*, Java is quite safe. It was designed with security in mind, and browser Java is much more tightly constrained in terms of what it can do than desktop, server, or embedded/mobile Java.

    Yet, there’s been a continuous stream of security updates to Java for the past 20 years, with no reason to believe this will slow down. Why?

    The big problem is those four major use scenarios for Java, all handled by one runtime. We keep finding ways for browser Java to do things that should only be possible in one of the other scenarios.

    If you trust the source of a Java applet, it’s probably fine to run it. But, I wouldn’t enable Java in the browser if you don’t know for a fact that you need it. Whitelists are probably the best ultimate solution, short of getting rid of Java entirely.

    As for JavaScript, there isn’t too much harm you can do with it directly. It doesn’t have all that desktop, enterprise, mobile, and embedded stuff built into it as with Java, so it doesn’t have to try to wall all of that off.

    The main point of blocking JavaScript is that it throws a spike strip in the path of many other types of attacks. For instance, a Flash exploit often relies on some JS probing code to run before it can run, so blocking JS provides a second layer of protection while you’re waiting for Adobe to get around to patching the Flash plugin.

    There is some minor evil possible directly from JavaScript. Some examples:

    * The original popup problem is largely solved, but now it’s resurfacing as main-page takeover ads. Block JS and you generally block these, too.

    * A script can probe your surfing history by dynamically generating hyperlinks in a hidden browser DOM, then checking how the browser styled those elements to infer whether you’ve clicked on that URL before. It’s a brute-force kind of thing, so it’s not too serious in practice, but it is a privacy leak.

  • Always Learning wrote:

    Yeah. I never enable google-analytics. When I want to see a website that’s got a ton of inclusions, I selectively temporarily enable only what I
    think I’ll need (which of those stupid things has the text? which the pic?), and when you enable disqus, for example, *then* you have to reopen noscript, because only then in disquscdn visible. Annoyances, but… and I
    never enable the ads.

    mark

  • Please, don’t advertize Kaspersky here, especially when we are talking about trust. He is KGB guy (is, not was; the only way they retire from KGB, CIA, MI-5, and others is dead, feet first dead).

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • I am not advertising, so please do not accuse anyone of this!
    Just citing evidence that infiltration of spyware and malware is far more sophisticated than anyone knew.

  • Sorry if it sounded like that: didn’t mean it to sound like accusation… I’m not native English speaker, you know ;-)

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Never had Flash (Macromedia or Adobe) on any computer system – Windoze
    3, 95’s and 98 (my last) or on CentOS. Prefer to miss something requiring Flash. Now FF 38 has HTML5, I can view YouTube for the first time ever. Other European countries official sites seem to use MP4
    which FF’s mplayer add-on displays.

    History, cookies etc. are deleted every time FF closes. Whilst FF is running they are on a RAM disk.

    Thanks for the input.


    Regards,

    Paul. England, EU. England’s place is in the European Union.

  • I looked into tor. Too complicated to set up, and I only use hotspots :(
    Home internet with good speed is way too expensive here.

    instead of a fixed IP address.

  • Got love a page that asserts dozens of alarming things with no examples, references or links to further reading, on top of that my understanding is that the principals of this domain are (ex) KGB agents. Incendiary writing designed to create fear and angst.

  • < <<>>>

    and you know this how?

    i do not really believe there is a ‘hidden whitelist’. it is more like there are sites that are used to check on sites you connect to. gaggle is one of them. :-P

    something you will/may find interesting, open about:config, enter
    “Search: whitelist” for info on noscript ‘whitelist’. if you enter
    “Search: noscript”, you will see that noscript stores one hell of a lot of info.

    see pages;

    https://noscript.net/faq

    then enter “find: whitelist”, read all for more
    whitelist info.

    https://noscript.net/features#xss
    https://noscript.net/faq#xss

    then open noscript options select Advanced -> XSS, be sure both
    selections are checked.

    you should also register here;

    https://forums.informaction.com/viewforum.php?f=3

    to find out more about noscript and ask about ‘hidden whitelist’.

    for further protection when surfing, get the ‘wot’ [web of trust]
    add-on;

    https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/

    https://www.mywot.com/
    https://www.mywot.com/en/settings/en-US/firefox/20131030/welcome

    https://en.wikipedia.org/wiki/WOT_Services

  • Look, I am not trying to discourage anyone from using noscript. I myself do use it. But I do not put my trust in it due to my prior experience with it. If you think it floats your boat, fine with me. No need to beat on this any further.

  • As I said about these services here (KGB, CIA, MI-6, …) there is no “ex”
    for their agents. The only way one retired from these organizations is dead, feet first dead.

    Precisely!

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Which raises the question: Just how bad does a site have to get BEFORE
    it gets listed as suspicious by Google?

  • Notwithstanding the FSB aspect of the source: If your own people habitually lie to you about such things in the name of National Security – which seems to have replaced the belief in God in the minds of many; presumably as it serves the same purpose – then where else can you go but to the opposition? The truth will out. It sometime comes through the sewers but it will out.

    Equation Group are almost certainly creatures of the beltway bandit crowd and if not actually staffed by the U.S.A. government then certainly under contract to them. Probably some combination of the two is the actual case. Given the provenance of the expos

  • A bit hyperbolic. One could with as much justification state that there is no such thing as an ex-marine, an ex-seal, an ex-commissioned officer, or an ex-almost-any-sensitive-position that has to do with the running of a modern industrial state. Various state-secret laws effectively see to that if nothing else.

    In any case, all these organizations are based on task-completion and need-to-know principles. Once you are no longer tasked then you are effectively retired, even if still employed, until re-tasked. Once you are more-or-less permanently ‘untasked’ then the only question is which budget does your paycheck offset.

    This is not to say that I disagree with the underlying point, only that it is a bit overly selective in its formulation.

  • This is up to everybody: to use their brain and avoid sources (of anything: software, “information”, “analysis”,…) if there is any indication you shouldn’t trust the source.

    Take Kaspersky. Free antivirus. This is the code you run on your Windows machine from account with highest privileges. And you even know Kaspersky’s relation with KGB (who cares: has or had). This, distributing free software (antivirus) which Windows – as MS tells you – can not be safely run without I would rate as more brilliant Intelligence (OK, call it dirty tricks) operation than collection of information by offering free
    (cloud based) applications and serviced. I know, many people will jump in right here arguing that “google is not like that” even though I didn’t even mention google. Google just stands out as the largest best known (and for which closer to its foundation there was the question: where could this huge startup capital come from – if not from uncounted taxpayer’s money…).

    It all boils down to everybody’s own willingness to stay away from anything you quite likely can not trust.

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • This has gone so far off topic…

    Could we at least limit the paranoid ravings to linux software? At least your rants about systemd were somewhat relevant.

  • Mainly from CIA & NSA :-)

    It has ongoing contracts (data sharing agreements) with the US of A
    government.

LEAVE A COMMENT