Bugtraq mailing list archives
Re: Mozilla Firefox 44.0b2 Cross-site Scripting Vulnerability
From: Reed Loden <reed () reedloden com>
Date: Mon, 11 Jan 2016 01:49:33 -0800
Again, how is that any different from you saving the contents of that <script> call to foo.html and opening that in Firefox? It's not even a self-XSS where you're impacting some other domain, as the null principal is loaded (as per https://bugzilla.mozilla.org/show_bug.cgi?id=656433), so it doesn't have permissions on the currently-loaded page. ~reed On Mon, Jan 11, 2016 at 1:39 AM, Song-Dl Team <iedb.team () gmail com> wrote:
The vulnerability, our xss code for local runs in Mozilla web browser. The vulnerability is local and based on the: data: text / html is on version 44.0 beta and the old version, the answer will be. Run xss code in btowser and to giv a coockie graber as atacker and run در تاریخ ۱۱ ژانویهٔ ۲۰۱۶ ۱۳:۰۶، "Reed Loden" <reed () reedloden com> نوشت:Isn't this just you running that HTML locally (using data: to create a page, rather than just loading a local .html file)? How is this a security issue? What are you able to "exploit" by doing this? ~reed On Sun, Jan 10, 2016 at 11:08 PM, <iedb.team () gmail com> wrote:Mozilla Firefox 44.0b2 7 and Old Version Local Cross-site Scripting Vulnerability ################################# # # @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@@@@@ # @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@@@ # @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ # @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ # @@@ @@@@@@@@@@@ @@@ @ @@@@@@@@@@ @@@ @@@@@@ # @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@ # @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@ # @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@ # @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@ @@@ @@@ # ##################################### Iranian Exploit DataBase TiTle : Mozilla Firefox 44.0b2 Local Cross-site Scripting Vulnerability Affected Product : Mozilla Firefox 44.0b2 7 and Old Version Risk : High Tested on : Android,Windows7,Xp Vendor site : http://mozilla.org Author : Amir Email : Iedb.team () gmail com Home : http://iedb.ir - http://xssed.ir Archive Exploit : http://iedb.ir/exploits.php?id=4505 ##################################### Description : The vulnerability, our xss code for local runs in Mozilla web browser. The vulnerability is local and based on the: data: text / html is on version 44.0 beta and the old version, the answer will be. Users can xss code with Base64 algorithm Encode it to the browser, and the variable data: text / html; base64, added. Example : Xss Code : '"><script>alert('IeDb.Ir And Xssed.Ir')</script> We're Encode This code : JyI+PHNjcmlwdD5hbGVydCgnaHR0cDovL2llZGIuaXIgJiBodHRwOi8veHNzZWQuaXIgKiBBbWlyIConKTwvc2NyaXB0Pg== And to this we add the code Xss and then we run in the browser: data:text/html;base64,[Xss Encoded] Demo : data:text/html;base64,JyI+PHNjcmlwdD5hbGVydCgnaHR0cDovL2llZGIuaXIgJiBodHRwOi8veHNzZWQuaXIgKiBBbWlyIConKTwvc2NyaXB0Pg== Run To Mozilla Photo: http://iedb.ir/Bug/Mozilla.jpg ##################################### Thanks to all the friends and Iranian hackers, and thank all the members http://Iedb.Ir And IrIsT.Ir Team Home : http://iedb.ir - http://xssed.ir - http://iedb.ir/acc http://iedb.ir : This site, for recording bugs and vulnerabilities and exploits will be in it.(Iranian Exploit DataBase) http://Xssed.Ir : On this site, all bugs Xss and Sql which sites are placed.Be sure to check the site and sites vulnerable to it. ##################################### Archive Exploit : http://iedb.ir/exploits.php?id=4505 #####################################
Current thread:
- Mozilla Firefox 44.0b2 Cross-site Scripting Vulnerability iedb . team (Jan 11)
- Message not available
- Message not available
- Re: Mozilla Firefox 44.0b2 Cross-site Scripting Vulnerability Reed Loden (Jan 11)
- Message not available
- Message not available
- <Possible follow-ups>
- Mozilla Firefox 44.0b2 Cross-site Scripting Vulnerability iedb . team (Jan 11)