<![CDATA[FireGPG Forum - Security update: 0.4.7]]> http://forum.getfiregpg.org/viewtopic.php?id=264 Wed, 26 Dec 2007 16:49:27 +0000 PunBB <![CDATA[Re: Security update: 0.4.7]]> http://forum.getfiregpg.org/viewtopic.php?pid=863#p863 More info regarding the security issue can be found at http://blog.watchfire.com/wfblog/2007/1 … 6-gma.html

]]> Wed, 26 Dec 2007 16:49:27 +0000 http://forum.getfiregpg.org/viewtopic.php?pid=863#p863 <![CDATA[Security update: 0.4.7]]> http://forum.getfiregpg.org/viewtopic.php?pid=859#p859 A new version dues to a (small) security problem, who come with smalls improvents smile.

Many users ask for a support of FireFox 3. We will support at last when the final version will be relased, before if we have the time ^^
Bugs :

    * Fixed a (small) security problem (reported by Roee Hay, IBM).

FireGPG (tested on 0.4.6) suffers from a Cross-Site-Scripting flaw affecting gmail.

Normally, After FireGPG automatically verifies signed mails in Gmail, it prints the public key issuer name underneath the mail message (i.e: "Good sign from Roee Hay  (made the 2007 17:26:52)".

However, the issuer name is not sanitized or verified, a fact which leads to an XSS vulnerability. If the issuer name contains a malicious javascript (e.g: "<script> [XSS_PAYLOAD] </script>"), it will be executed under Gmail's context, thus giving the attacker an opportunity to steal the victim's cookies, mail and so on. It can be exploited by sending the victim a signed message and convincing him to add your malicious public key.

* Fixed a problem with the mail autodetect system.

Functionalities :

    * Improve performances with gmail
    * Patch of tjm1983 applied, who improve signs for old gmail's version.

Locales :

    * English corrections from Sebastien Wains

Misc :

    * Change the system for upgrades or installs (this page ^^)

]]> Tue, 25 Dec 2007 10:31:39 +0000 http://forum.getfiregpg.org/viewtopic.php?pid=859#p859