uBlockOrigin/uAssets

Add `0.0.0.0` address filter for any source to prevent browser (current and older) exploatation for localhost

Closed this issue · 2 comments

eirnym commented

Prerequisites

  • This is NOT a YouTube, Facebook, Twitch or a shortener/hosting site report. These sites MUST be reported by clicking their respective links.
  • I read and understand the policy about what is a valid filter issue.
  • I verified that this issue is not a duplicate. (Search here to find out.)
  • I did not remove any of the default filter lists, or I have verified that the issue was not caused by removing any of the default lists.
  • I did not enable additional filter lists, or I have verified that the issue still occurs without enabling additional filter lists.
  • I do not have custom filters/rules, or I have verified that the issue still occurs without custom filters/rules.
  • I am not using uBlock Origin along with other content blockers.
  • I have verified that the web browser's built-in content blocker/tracking protection, network wide/DNS blocking, or my VPN is not causing the issue.
  • I have verified that other extensions are not causing the issue.
  • If this is about a breakage or detection, I have verified that it is caused by uBlock Origin and isn't a site issue.
  • I did not answer truthfully to ALL the above checkboxes.

URL(s) where the issue occurs.

I don't know where it's exploited

Description

There's a security threat for browsers with 0.0.0.0 IP address which is not treated locally.

At the moment it's easier to block this IP address locally until all major browsers provides patches. I see Mega has an exception for 127.0.0.1, but this IP is a security threat rather than "useful services located on localhost"

Other extensions used

none

Screenshot(s)

Screenshot(s)

Configuration

uBlock Origin: 1.59.0
Firefox: 129
filterset (summary):
 network: 178659
 cosmetic: 81670
 scriptlet: 22241
 html: 1938
listset (total-discarded, last-updated):
 added:
  block-lan: 70-1, 14d.14h.29m
  DEU-0: 7545-38, 13h.45m
  RUS-0: 40761-12, 6m Δ
 default:
  user-filters: 48-1, never
  ublock-filters: 39785-143, 12h.45m Δ
  ublock-badware: 10490-7, 12h.45m Δ
  ublock-privacy: 1041-5, 12h.45m Δ
  ublock-unbreak: 2533-1, 12h.45m Δ
  ublock-quick-fixes: 142-8, 6m
  easylist: 87991-193, 12h.45m Δ
  easyprivacy: 53095-149, 12h.45m Δ
  urlhaus-1: 29235-0, 13h.45m
  plowe-0: 3555-1003, 1d.18h.23m
  POL-0: 8762-47, 13h.45m
  POL-2: 1283-49, 1d.13h.46m
filterset (user): [array of 48 redacted]
trustedset:
 added: [array of 8 redacted]
userSettings:
 userFiltersTrusted: true
hiddenSettings: [none]
supportStats:
 allReadyAfter: 819 ms (selfie)
 maxAssetCacheWait: 116 ms
 cacheBackend: indexedDB
stephenhawk8054 commented

Already fixed in EP few days ago: easylist/easylist@3b9d57fe

  • 👀1
eirnym commented

nice, thanks