Greasemonkey Vulnerabilities - Removal Advised
You should uninstall your GreaseMonkey Extensions.
Following the thread
here, you can see an exploit discovered by Mark Pilgrim that actually allows website programmers to find and use Greasemonkey if it's enabled on the user's browser - including the GM_XMLHttpRequest object - which can GET and POST any URL to any URL with no restrictions - including local files and local directory listings. This is very insecure, and I've uninstalled GM on all of my machines, and advise others to do so as well. I'll be following the
Mailing List to see how things develop, hopefully there will be a usable workaround.
3 Comments +
Hi Alan, thanks for the heads-up. That sample malicious script you linked to doesn't do anything on my browser. Does that mean I'm safe? I'm running GM 0.3.3 on FF 1.0.4
Thanks,
Joe
I'm an idiot. I have no C:\boot.ini on my machine.
thx very usefull hint.
Thanks,
Joe