[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <44AA4FDE.1080409@polypath.com>
Date: Tue, 04 Jul 2006 13:24:14 +0200
From: Thor Larholm <thor@...ypath.com>
To: Alex Potter <alex@...consulting.co.uk>
Cc: bugtraq@...urityfocus.com
Subject: Re: Browser bugs hit IE, Firefox today (SANS)
Alex Potter wrote:
>http://isc.sans.org/diary.php?storyid=1448 - update says
>
>"After doing more research on this vulnerability and with great help from our
>readers (thanks to Dan and another reader) it seems that Mozilla Firefox is
>not affected by this vulnerability."
>
>
Firefox might not be directly affected by this vulnerability, but it
does remind me of inconsistencies in how the security context of an
object is handled inside Firefox.
Ordinarily, when you have a window object containing a document from a
thirdparty domain, such as <iframe id="thirdparty"
src="http://google.com"></iframe>, you are not allowed to reference any
kind of objects inside this window. Using a DOM 0 approach,
window.frames[0].contentDocument will give you a security exception.
However, reading the contentDocument property of the DOM element instead
of the through the frames collection will give you a reference to the
document object inside the thirdparty domain and even allow you to
overwrite native DOM methods without throwing a security exception, such
as
document.getElementById("thirdparty").contentDocument.getElementById=function(s){alert(s)}.
This also holds true for window.frames[0].document.getElementsByTagName
and any other methods on the document object.
Functionally, the document and contentDocument properties both reference
the same object and should obey the same security context rules, however
Firefox differentiates based on how you reference that object and thus
allows you to overwrite native DOM methods on a thirdparty domain,
broadening the potential attack scope by allowing you to interfere with
the operations of existing script code inside that thirdparty document.
--
Thor Larholm
PolyPath, CSO
Powered by blists - more mailing lists