Full Disclosure mailing list archives
Firefox 3.6.13 pseudo-URL SOP check bug (CVE-2010-3774)
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 9 Dec 2010 10:58:45 -0800
Hi folks, Firefox 3.6.13 fixes an interesting bug in their same-origin policy logic for pseudo-URLs that do not have any inherent origin associated with them. These documents are normally expected to inherit the context from their parent, or be assigned a unique one. This didn't work as expected in Firefox, apparently due to a code refactoring in 2008. The vulnerability permits malicious websites to access and modify the contents of special pages such as about:neterror or about:config, which has consequences ranging from content spoofing to complete subversion of the browser security model. More info: http://lcamtuf.blogspot.com/2010/12/firefox-3613-damn-you-corner-cases.html Whimsical PoC: http://lcamtuf.coredump.cx/ffabout/ PS. I posted a couple of probably interesting browser security write-ups on my blog of recent, recapping the status quo in areas such as HTTP cookie security. Some readers might find them interesting / useful - say: http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html Cheers, /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Firefox 3.6.13 pseudo-URL SOP check bug (CVE-2010-3774) Michal Zalewski (Dec 09)