Home page logo
/

bugtraq logo Bugtraq mailing list archives

Firefox 3.6.13 pseudo-URL SOP check bug (CVE-2010-3774)
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 9 Dec 2010 10:58:45 -0800

Hi folks,

Firefox 3.6.13 fixes an interesting bug in their same-origin policy
logic for pseudo-URLs that do not have any inherent origin associated
with them. These documents are normally expected to inherit the
context from their parent, or be assigned a unique one. This didn't
work as expected in Firefox, apparently due to a code refactoring in
2008. The vulnerability permits malicious websites to access and
modify the contents of special pages such as about:neterror or
about:config, which has consequences ranging from content spoofing to
complete subversion of the browser security model.

More info: http://lcamtuf.blogspot.com/2010/12/firefox-3613-damn-you-corner-cases.html
Whimsical PoC: http://lcamtuf.coredump.cx/ffabout/

PS. I posted a couple of probably interesting browser security
write-ups on my blog of recent, recapping the status quo in areas such
as HTTP cookie security. Some readers might find them interesting /
useful - say: http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html

Cheers,
/mz


  By Date           By Thread  

Current thread:
  • Firefox 3.6.13 pseudo-URL SOP check bug (CVE-2010-3774) Michal Zalewski (Dec 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]