[21257] in bugtraq
Re: Mozilla is excessively generous.
daemon@ATHENA.MIT.EDU (Mike Shaver)
Fri Jun 29 04:39:02 2001
Message-ID: <3B3C05BC.8000604@mozilla.org>
Date: Fri, 29 Jun 2001 00:36:12 -0400
From: Mike Shaver <shaver@mozilla.org>
MIME-Version: 1.0
To: qg@nuclear.biodome.org
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
> 208.191.35.126 - - [27/Jun/2001:21:07:21 -0400] "GET /~qg/billy.html HTTP/1.1" 200 333 "mailbox:///home/dustin/.mozilla/dustin/uo1voac3.slt/Mail/Mail/mail.ink-1.org/Inbox?number=29822904" "Mozilla/5.0 (X11; U; Linux 2.2.16-22 i686; en-US; rv:0.9.1) Gecko/20010608"
>
> Would anyone working on the Mozilla project care to add dustin's password
> to this line in my web logs? Maybe his mother's maiden name?
If you'd bothered to report this to mozilla.org, via bugzilla, rather
than just going straight to bugtraq[*], you would probably have found
bug 83038, which was fixed for mozilla 0.9.2. (0.9.2 froze tonight for
final QA before release.)
People using Mozilla < 1.0 should probably be aware that there are bugs
remaining, and some of those bugs may affect the security of the
application. I don't think there are any serious ones left outstanding,
but I may not just "serious" like you do, and there may yet be some
undiscovered/unreported.
[*] Not that I have a problem with people mailing bugtraq to let people
know what they should watch for, but if someone else _hadn't_ reported
this to bugzilla, we might not have fixed it in time for 0.9.2. I
assume that's what you want, and that you weren't just posting to be
clever at our expense.
Mike
(not on bugtraq, please cc: on replies)
