Why Java VM starts when viewing Plone 3.x.x in Firefox 3.5

February 16, 2010 Leave a Comment

Turns out there is a small bug in FireFox (fixed with the 3.6 release that triggers an XSS flaw in Plone which then starts Java VM if you have it installed.  This is what Alexander Limi at Plone.org had to say:

Plone 3.3 has a new maintenance release available, and you should upgrade to fix a potential security issue with Zope, and to make your site load faster.

Plone 3.3.4 is now available, and includes Zope 2.10.11, which fixes a potential XSS issue in the default error page in Zope. Although this is hard to exploit, since you have to manage to bypass the standard Plone error page — which does not have this issue — we strongly recommend that you upgrade your servers that are running any Zope version to their fixed releases available from zope.org. This applies no matter what version of Zope you are running.

Another important issue that has been fixed in this release of Plone was located in the base2 JavaScript library. It would cause the Java plugin(!) to be invoked if you have Java on your computer and are using Firefox 3.5, since there is a “magic” variable that starts the Java VM when accessed. More details here, if you are interested in the full explanation.

This issue is fixed in the latest release of KSS, and should make Plone faster for your logged-in users that are using Firefox 3.5. Though the issue has also been fixed in Firefox 3.6, which ships tomorrow, we still recommend that you upgrade.

Advertisement

Filed under Plone and Windows

About Jason
Currently I manage an award winning information portal for Durham Public Schools. I joined Durham Public Schools in 2005. As of 2009 Durham Public Schools has won 4 awards from NCSPRA for excellence in web design. In 2005 and 2006 DPS won awards for best Website for a School District among the schools districts of North Carolina. For 2007 we won 2 awards for our Construction Bond website and our Guatemala blog. In 2009 we won the National School Public Relations Association Merit award for our Graduation Project Website. At MadTek, I was responsible for the design, development, usability and deployment of the company’s information technology, web portal and business relationships. I founded MadTek, a technology consulting and web hosting company, in 1997. In 2002 MadTek became MadTek LLC. Madtek clients included: Duke University, DukeHealth, Chicago Medical Society, State of Illinois Neurosurgical Society, Precision Response Corporation, and the US Fish and Wildlife Service. From 2000-2002, I was Vice President Web Operations for RateWatch, Inc., a financial reporting and services company servicing a network of 5000 banks and credit unions. At RateWatch I was responsible for developing and implementing AmazingRates.com. an online service for identifying the best Certificate of Deposit buys for consumers by comparing the rates of over 20,000 financial institutions. My work included developing the user interface, web site, gathering tools and a set of best usability practices for the company. During the period 1998-2000, I was Consulting & Support Services Director for CyFi.com, a web development and hosting company servicing financial institutions. At CyFi I was responsible for search engine and security analysis, as well as usability and regulatory compliance. From 1997 to 1998, I was a Web Developer for AT&T WorldNet and a member of the team responsible for building and implementing AT&T’s Knowledge Management System. Specialties Usability analysis, information architecture, managed portal and consulting services.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.