| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Feb 2005 18:52:12 +0100
From: "mikx" <mikx@...x.de>
To: <full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com>,
<NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>
Subject: Fireflashing [Firefox 1.0]
__Summary
Using plugins like Flash and the -moz-opacity filter it is possible to
display the about:config site in a hidden frame or a new window.
By making the user double-click at a specific screen position (e.g. using a
DHTML game) you can silently toggle the status of boolean config parameters.
As long as the number of about:config parameters is unchanged (unlikely a
casual user will change them) you can move the parameter you want to the
specified screen position by using CSS.
You can also load about:config using the real player plugin and merged url
events. See the real producer documentation for details and merge a command
like "u 0:0:0:0.0 0:0:0:30.0 &&targetframe&&about:config"
__Proof-of-Concept
http://www.mikx.de/fireflashing/
__Status
The bug is marked as fixed in bugzilla. Get a nightly build, compile on your
own or wait for Firefox 1.0.1.
2005-02-01 Vendor informed (bugzilla.mozilla.org #280664)
2005-02-01 Vendor confirmed bug
2005-02-04 Vendor fixed bug
2005-02-07 Public disclosure
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0232 to this issue.
__Affected Software
Tested with Firefox 1.0 and Mozilla 1.7.5
__Contact Informations
Michael Krax <mikx@...x.de>
http://www.mikx.de/?p=10
mikx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists