In response to 0.0.0.0 day, Firefox Nightly version 131 had introduced a new security measure: blocking access to 0.0.0.0/::/::ffff:0.0.0.0 addresses. This change is currently live for Nightly users and will be gradually rolled out to all release users in the near future. Before we implement this ch...
  • tal@lemmy.todayEnglish
    4·
    8 hours ago

    It sounds like, from other articles, Chrome at least is blocking access to the local machine from non-local pages, which seems very much desirable.

    Blocking access to the local machine across-the-board would be problematic, since one might want to browse stuff served by a local webserver.

    I’d also add that I’ve been around network security for some time, have gone through a bunch of the RFCs and know some odd IPv4 addressing quirks – I can tell you that 0177.0x1 will reach localhost – but didn’t know that a packet addressed to 0.0.0.0 would go to localhost. From another article, it sounds like other addresses that reach localhost had been blocked a long time ago.

  • Zachariah@lemmy.world
    3·
    9 hours ago

    Oligo Researchers have found that public websites (like domains ending in .com) are able to communicate with services running on the local network (localhost) and potentially execute arbitrary code on the visitor’s host by using the address 0.0.0.0 instead of localhost/127.0.0.1.

    Remediation In Progress: Browsers Will Soon Block 0.0.0.0

    Following responsible disclosure, HTTP requests to 0.0.0.0 are now being added to security standards using a Request for Comment (RFC), and some browsers will soon block access to 0.0.0.0 completely. 0.0.0.0 will not be allowed as a target IP anymore in the Fetch specification, which defines how browsers should behave when doing HTTP requests.