lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 13 Feb 2007 05:44:54 +0100
From: "Tyop?" <tyoptyop@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Firefox/MSIE focus stealing vulnerability -
	clarification

On 2/12/07, Ruud H.G. van Tol <rvtol@...lution.nl> wrote:
> Michal Zalewski wrote:
> >   2) The Firefox attack vector is related to the Charles' CVE-2006-2894,
> >      which in turn was a rediscovery of a problem known to Mozilla since
> >      2000 (!); attempts to fix it in official releases failed because the
> >      problem was repeatedly marked as a duplicate of a too narrowly
> >      defined issue with control hiding. A broader redesign probably
> >      eliminated the issue in development branches, but it still affects
> >      Firefox 1.5 and 2.0.
> >
> >      This can be considered an independent rediscovery and a more
> >      practical demonstration of a previously reported vulnerability.
> >      The exploit is here: http://lcamtuf.coredump.cx/focusbug/index.html
>
> Without JavaScript on, this doesn't work. See http://noscript.net/

Without a browser too, this doesn't work. See http://netcat.sourceforge.net/

--
Guasconi Vincent
French Student.
http://altmylife.blogspot.com [Fr]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ