Closed Bug 303290 Opened 19 years ago Closed 19 years ago

Website inaccessible to pre-Firefox 1.0.4 users

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Public Pages
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 299466

People

(Reporter: jcubed_la, Assigned: Bugzilla-alanjstrBugs)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

The update site which has extensions and themes is completely inaccessible to a
Firefox user who is not using Firefox 1.0.4 or newer.  _However_, users of any
other browsers of any other version (IE, Opera, Mozilla, or Lynx) are able to
access the site and download extensions/themes.  Using the User Agent Switcher
extension allows pre-Firefox 1.0.4 users to get into the site without problems.

Reproducible: Always

Steps to Reproduce:
1. Use a pre-Firefox 1.0.4 binary and access https://addons.mozilla.org/.
Actual Results:  
An alert comes up indicating that the browser needs to be upgraded to Firefox
1.0.4 or later.

Expected Results:  
I should be able to get into the Website regardless of what version of Firefox
I'm using.


There exists a workaround to the problem: The User Agent Switcher extension.  I
can use the extension to be any other browser, and have access to the
extensions/themes.  But I shouldn't have to.

If the site is going to restrict the browser to Firefox 1.0.4 or newer, it
should do it across the board.  Either all non-Firefox 1.0.4 or newer users get
blocked (including IE, Mozilla, Opera and Lynx users), or everybody should get in.

If the intent is to force users to upgrade to the most recent and secure version
of Firefox, why isn't a similar restriction in place for Mozilla?  I was able to
get into the update site with Mozilla 1.6, which is even older than Firefox
1.0.4.  Does this mean imply Mozilla is more secure than Firefox?

As it stands right now, the restriction affects _only_ Firefox users.
It does exactly what it is supposed to do: tell you to upgrade your Firefox.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Versions of Firefox prior to Version 1.0.4 had a security problem that could be
exploited using the website, which is why the redirect is in there. I don't
believe this problem affected Mozilla, but I could be wrong on that.

I think this is unlikely to be changed... but I'm not resolving it as
WONTFIX/INVALID myself.
(In reply to comment #2)
> Versions of Firefox prior to Version 1.0.4 had a security problem that could be
> exploited using the website, which is why the redirect is in there. I don't
> believe this problem affected Mozilla, but I could be wrong on that.
> 
> I think this is unlikely to be changed... but I'm not resolving it as
> WONTFIX/INVALID myself.

So then by not blocking IE/Opera/Lynx the site implies that those browsers are
more secure than Firefox.  Isn't that the wrong message to send?

We are not responsible for their holes.  This security hole in particular
affected the interaction between Firefox and UMO where UMO is a trusted site.
(In reply to comment #4)
> We are not responsible for their holes.  This security hole in particular
> affected the interaction between Firefox and UMO where UMO is a trusted site.

So now you have created a site that IE can get into that Firefox < 1.0.4 cannot.
 On mozilla.org.  On Firefox's home turf it can't get to a page that competing
browsers can.

Again, isn't this sending the wrong message?
(In reply to comment #5)
> So now you have created a site that IE can get into that Firefox < 1.0.4 cannot.
>  On mozilla.org.  On Firefox's home turf it can't get to a page that competing
> browsers can.
> 
> Again, isn't this sending the wrong message?

If memory serves, the page explains why you are being diverted to the
alternative page...
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---

*** This bug has been marked as a duplicate of 299466 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → DUPLICATE
(In reply to comment #3)
> So then by not blocking IE/Opera/Lynx the site implies that those browsers are
> more secure than Firefox.  Isn't that the wrong message to send?
> 

No, and if you actually followed what happened you would already understand.  IE
may be swiss cheese, but having content served from UMO is SPECIFICALLY required
to exploit a hole in older versions of Firefox.  Allowing MSIE users access to
UMO does not put them at any additional risk.  Allowing Firefox 1.0.3 users
access exposes them to the risk of full remote compromise.
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.