lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <44AA4FDE.1080409@polypath.com>
Date: Tue, 04 Jul 2006 13:24:14 +0200
From: Thor Larholm <thor@...ypath.com>
To: Alex Potter <alex@...consulting.co.uk>
Cc: bugtraq@...urityfocus.com
Subject: Re: Browser bugs hit IE, Firefox today (SANS)


Alex Potter wrote:

>http://isc.sans.org/diary.php?storyid=1448 - update says 
>
>"After doing more research on this vulnerability and with great help from our 
>readers (thanks to Dan and another reader) it seems that Mozilla Firefox is 
>not affected by this vulnerability."
>  
>
Firefox might not be directly affected by this vulnerability, but it 
does remind me of inconsistencies in how the security context of an 
object is handled inside Firefox.

Ordinarily, when you have a window object containing a document from a 
thirdparty domain, such as <iframe id="thirdparty" 
src="http://google.com"></iframe>, you are not allowed to reference any 
kind of objects inside this window. Using a DOM 0 approach, 
window.frames[0].contentDocument will give you a security exception. 
However, reading the contentDocument property of the DOM element instead 
of the through the frames collection will give you a reference to the 
document object inside the thirdparty domain and even allow you to 
overwrite native DOM methods without throwing a security exception, such 
as 
document.getElementById("thirdparty").contentDocument.getElementById=function(s){alert(s)}. 
This also holds true for window.frames[0].document.getElementsByTagName 
and any other methods on the document object.

Functionally, the document and contentDocument properties both reference 
the same object and should obey the same security context rules, however 
Firefox differentiates based on how you reference that object and thus 
allows you to overwrite native DOM methods on a thirdparty domain, 
broadening the potential attack scope by allowing you to interfere with 
the operations of existing script code inside that thirdparty document.

--
Thor Larholm
PolyPath, CSO


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ