Full Disclosure mailing list archives
RE: Firespoofing [Firefox 1.0]
From: "Soderland, Craig" <craig.soderland () sap com>
Date: Tue, 11 Jan 2005 15:37:20 +0100
This does not work if you are using the FireFox 1.0 tabbed browsing feature, as your pop up window simply opens a new tab, and it then becomes immediately obvious what you are trying to pull off here.
-----Original Message----- From: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-
bounces () lists netsys com] Sent: Monday, January 10, 2005 6:22 PM To: full-disclosure () lists netsys com; bugtraq () securityfocus com; NTBUGTRAQ () listserv ntbugtraq com Subject: [Full-disclosure] Firespoofing [Firefox 1.0] __Summary Using javascript it is possible to spoof the content of security and download dialogs by partly covering them with a popup window. This can fool a user to download and automaticly execute a file (if a file extension association exists) or to grant a script local data access (if
codebase
principals are enabled). __Expected Behavior Modal dialogs should always be on top and it should not be possible to obfuscate their appearance. __Proof-of-Concept http://www.mikx.de/firespoofing/ The PoC is designed for Firefox 1.0 running in a maximized window. Part 1 - download dialog spoofing Shows how to cover a download dialog and fool the user to execute a
file
with a standard windows file association (in this case a .ht file).
BTW,
remember the latest .ht buffer overflow... Part 2 - security dialog spoofing Shows how to cover a security dialog. Make sure codebase principals
are
enabled (not default but encouraged by many XUL sites). Creates the
file
c:\booom.txt to proof local system access. __Status The bug is confirmed but currently unfixed (open for more than 3
months).
As a partial workaround set dom.disable_window_flip to true in
about:config.
The vendor failed to respond to multiple status requests which led to
this
public disclosure. 2004-09-20 Vendor informed (bugzilla.mozilla.org #260560) 2004-09-20 Vendor confirmed bug 2004-10-20 Status request (open for 1 month - no reply) 2005-01-03 Status request (open for 3 months - no reply) 2005-01-07 Status request (disclosure warning - no reply) 2005-01-11 Public disclosure __Affected Software Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP
SP2.
__Contact Informations Michael Krax <mikx () mikx de> http://www.mikx.de/?p=7 mikx _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Firespoofing [Firefox 1.0] mikx (Jan 10)
- Re: Firespoofing [Firefox 1.0] Pavel Kankovsky (Jan 11)
- <Possible follow-ups>
- RE: Firespoofing [Firefox 1.0] Soderland, Craig (Jan 11)
- Re: Firespoofing [Firefox 1.0] James Greenhalgh (Jan 11)
- Re: Firespoofing [Firefox 1.0] Andrew Clover (Jan 11)
- Re: Firespoofing [Firefox 1.0] James Greenhalgh (Jan 11)