lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200702122359.13307.marcello@softmedia.info>
Date: Mon, 12 Feb 2007 23:59:13 +0100
From: Marcello Barnaba <marcello@...tmedia.info>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Firefox/MSIE focus stealing vulnerability -
	clarification

Hi Michal,

On Monday 12 February 2007 00:01, Michal Zalewski wrote:
> After some research, I can offer this clarification:
>
>   1) The MSIE 7 attack vector I described is a distinctive, new
>      vulnerability that differs from the attack reported by Charles
>      McAuley and Bart van Arnhem. Attacks described by them were
>      fixed in MSIE7 (although MSIE6 is still exposed to the original
>      flaw).
>
>      My vulnerability attacks the same form control, but in a different
>      manner. Again, the demo for this vulnerability is here:
>      http://lcamtuf.coredump.cx/focusbug/ieversion.html
>
>   2) The Firefox attack vector is related to the Charles' CVE-2006-2894,
>      which in turn was a rediscovery of a problem known to Mozilla since
>      2000 (!); attempts to fix it in official releases failed because the
>      problem was repeatedly marked as a duplicate of a too narrowly
>      defined issue with control hiding. A broader redesign probably
>      eliminated the issue in development branches, but it still affects
>      Firefox 1.5 and 2.0.
>
>      This can be considered an independent rediscovery and a more
>      practical demonstration of a previously reported vulnerability.
>      The exploit is here: http://lcamtuf.coredump.cx/focusbug/index.html

I tested both the ff and ie version on both Safari 2.0.4 (419.3) and Konqueror 
3.5.5.

On the FF version, konqueror does not exhibit any behavior, lets you input 
text and no redirection is made. To my surprise, the IE version instead dumps 
all the keystrokes typed but does not copy them again into the textarea.
Hitting return causes a dialog "The following files will not be uploaded 
because they could be not be found", and the reason is because the file name 
is the whole input phrase.

On Safari the FF version does not dump anything either, just the first C 
keystroke is took and taken directly into oblivion :). OTOH the IE version 
exhibits the same behavior as konqueror, but the "select file" open dialog 
pops up whenever hitting space.

Regards
-- 
pub 1024D/8D2787EF  723C 7CA3 3C19 2ACE  6E20 9CC1 9956 EB3C 8D27 87EF

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ