[Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
Michal Zalewski
lcamtuf at dione.ids.pl
Sat Feb 17 23:04:57 GMT 2007
On 2/15/07, Michal Zalewski <lcamtuf at dione.ids.pl> wrote:
>> [...on other potential Firefox flaws...]
>>
>> I did not research them any further, so I can't say if they're
>> exploitable - but you can see a demo here, feel free to poke around:
>>
>> http://lcamtuf.coredump.cx/fftests.html
On Thu, 15 Feb 2007, pdp (architect) wrote:
> the first one runs in about:blank which is restricted. the second one
> is very interesting but still not very useful because it acts like
> about:blank. hmmm it seams that the hostname field has been seriously
> overlooked.
Just a heads up: the first one turned out to be quite useful as a method
to bypass anti-UI-spoofing measures in Firefox (see my last non-reply post
to BUGTRAQ).
The second one is interesting in that it allows to cripple browser's
native XUL / JS while still retaining some of its privileges, and to
interfere with how other sites' scripts are executed. I have a feeling
this can be turned into an exploitation vector, but I haven't had a chance
to familiarize myself with that part of FF codebase. I posted a more
detailed analysis to Bugzilla:
https://bugzilla.mozilla.org/show_bug.cgi?id=370445#c41
...a quick demo of how wrong things can go is here (bogus .exe is being
served):
http://lcamtuf.coredump.cx/tx/
The third testcase I posted is not a significant security problem, and the
fourth - probably merely a performance issue (though there is some
disagreement between developers).
/mz
Full-Disclosure is hosted and sponsored by Secunia.