Firefox 3.6.13 pseudo-URL SOP check bug (CVE-2010-3774)

[Michal Zalewski <lcamtuf () coredump cx>]

Hi folks,

Firefox 3.6.13 fixes an interesting bug in their same-origin policy
logic for pseudo-URLs that do not have any inherent origin associated
with them. These documents are normally expected to inherit the
context from their parent, or be assigned a unique one. This didn't
work as expected in Firefox, apparently due to a code refactoring in
2008. The vulnerability permits malicious websites to access and
modify the contents of special pages such as about:neterror or
about:config, which has consequences ranging from content spoofing to
complete subversion of the browser security model.

More info: http://lcamtuf.blogspot.com/2010/12/firefox-3613-damn-you-corner-cases.html
Whimsical PoC: http://lcamtuf.coredump.cx/ffabout/

PS. I posted a couple of probably interesting browser security
write-ups on my blog of recent, recapping the status quo in areas such
as HTTP cookie security. Some readers might find them interesting /
useful - say: http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html

Cheers,
/mz