lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.58.0702172351410.21898@dione>
Date: Sun, 18 Feb 2007 00:04:57 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ne.ids.pl>
To: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Firefox: serious cookie stealing /
 same-domain bypass vulnerability

On 2/15/07, Michal Zalewski <lcamtuf@...ne.ids.pl> wrote:

>> [...on other potential Firefox flaws...]
>>
>> I did not research them any further, so I can't say if they're
>> exploitable - but you can see a demo here, feel free to poke around:
>>
>>   http://lcamtuf.coredump.cx/fftests.html

On Thu, 15 Feb 2007, pdp (architect) wrote:

> the first one runs in about:blank which is restricted. the second one
> is very interesting but still not very useful because it acts like
> about:blank. hmmm it seams that the hostname field has been seriously
> overlooked.

Just a heads up: the first one turned out to be quite useful as a method
to bypass anti-UI-spoofing measures in Firefox (see my last non-reply post
to BUGTRAQ).

The second one is interesting in that it allows to cripple browser's
native XUL / JS while still retaining some of its privileges, and to
interfere with how other sites' scripts are executed. I have a feeling
this can be turned into an exploitation vector, but I haven't had a chance
to familiarize myself with that part of FF codebase. I posted a more
detailed analysis to Bugzilla:

  https://bugzilla.mozilla.org/show_bug.cgi?id=370445#c41

...a quick demo of how wrong things can go is here (bogus .exe is being
served):

  http://lcamtuf.coredump.cx/tx/

The third testcase I posted is not a significant security problem, and the
fourth - probably merely a performance issue (though there is some
disagreement between developers).

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ