0.0.0.0 Day
Moderator: trava90
Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
-
- Moonbather
- Posts: 51
- Joined: 2015-12-14, 07:57
- Location: Moon Base Alpha
0.0.0.0 Day
I wanted to ask if this recently disclosed vulnerability affects the Linux or MacOS builds of Pale Moon.
https://www.oligo.security/blog/0-0-0-0 ... he-browser
https://www.oligo.security/blog/0-0-0-0 ... he-browser
- RealityRipple
- Astronaut
- Posts: 746
- Joined: 2018-05-17, 02:34
- Location: Los Berros Canyon, California
- Contact:
Re: 0.0.0.0 Day
Not recently discovered. It's been a known "non-private" private address bypass for almost 20 years. And I'm not sure I'd call it a bug so much as an exploitable misclassification. It's also a kind of bad *NIX network design leftover that they re-interpret 0.0.0.0 as localhost, effectively bypassing the TCP binding of the server. But yes, the fetch() request will need to be updated to match the spec change.
Re: 0.0.0.0 Day
Spec proposal isn't merged yet, but if this is a known issue that should be addressed because of a *NIX networking oddity then I'm all for it.
"Just because you are offended doesn't mean you are right." -- unknown
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
- RealityRipple
- Astronaut
- Posts: 746
- Joined: 2018-05-17, 02:34
- Location: Los Berros Canyon, California
- Contact:
Re: 0.0.0.0 Day
Not sure, but I think it should just be a matter of checking for '0.0.0.0' in nsDNSService2's PreprocessHostname() function, same as the optionally-blocked .onion URLs.
Re: 0.0.0.0 Day
That sounds like a simple solution. I don't really see a reason for legitimate traffic to ever connect to 0.0.0.0 in normal use, anyway. If it's as simple as I think then I can roll this into 33.3.0 -- as it is the first release candidate was in need of changes anyway ;P
"Just because you are offended doesn't mean you are right." -- unknown
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: 0.0.0.0 Day
Pretty painless. See Issue #2554 (UXP). Meaning we'll be ahead of the curve again on something sec related ;P
"Just because you are offended doesn't mean you are right." -- unknown
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: 0.0.0.0 Day
Is there anything us users can do to mitigate this while waiting for 33.3.0?
- RealityRipple
- Astronaut
- Posts: 746
- Joined: 2018-05-17, 02:34
- Location: Los Berros Canyon, California
- Contact:
Re: 0.0.0.0 Day
If you don't have any software that runs a local webserver, you're OK.
If you use Windows, you're OK.
Otherwise...
Use HTTPS versions of websites wherever possible.
Don't enable mixed content.
Make any local servers only accessible from the exact local IP on your preferred network(s); don't listen on the localhost or 127.0.0.1 addresses, if the option is there.
If you use Windows, you're OK.
Otherwise...
Use HTTPS versions of websites wherever possible.
Don't enable mixed content.
Make any local servers only accessible from the exact local IP on your preferred network(s); don't listen on the localhost or 127.0.0.1 addresses, if the option is there.
Re: 0.0.0.0 Day
On another forum I found this:
uBo for Pale Moon doesn't have this, and I look around the internet for a way to manually add this, but no luck. Does anyone have any info on this?You need to open Filter lists tab in the uBlock dashboard and enable and load Block Outsider Intrusion list under Privacy section.
https://forums.linuxmint.com/viewtopic.php?t=426815
- andyprough
- Keeps coming back
- Posts: 864
- Joined: 2020-05-31, 04:33
Re: 0.0.0.0 Day
We have a long thread on this forum on implementing Block Outsider Intrusion into LAN: viewtopic.php?f=19&t=29982ron_1 wrote: ↑2024-08-10, 12:58On another forum I found this:
uBo for Pale Moon doesn't have this, and I look around the internet for a way to manually add this, but no luck. Does anyone have any info on this?You need to open Filter lists tab in the uBlock dashboard and enable and load Block Outsider Intrusion list under Privacy section.
https://forums.linuxmint.com/viewtopic.php?t=426815
Seems to work most clearly with the eMatrix extension for Pale Moon: https://addons.palemoon.org/addon/ematrix/
Re: 0.0.0.0 Day
Thank you. I missed that thread.andyprough wrote: ↑2024-08-11, 05:43We have a long thread on this forum on implementing Block Outsider Intrusion into LAN
Re: 0.0.0.0 Day
The other thread is locked, so I'll post this here. On my uBo for Block Outsider Intrusion into LAN I'm getting only 7 used out of 7. In the locked thread, others were reporting getting 40 something used out of 62. I'm wondering why my number is so low? (But at least all 7 are used, I guess.)