Re: Firefox: serious cookie stealing / same-domain bypass vulnerability

[Michal Zalewski <lcamtuf () dione ids pl>]

On 2/15/07, Michal Zalewski <lcamtuf () dione ids pl> wrote:

> > [...on other potential Firefox flaws...]
> >
> > I did not research them any further, so I can't say if they're
> > exploitable - but you can see a demo here, feel free to poke around:
> >
> >   http://lcamtuf.coredump.cx/fftests.html

On Thu, 15 Feb 2007, pdp (architect) wrote:

> the first one runs in about:blank which is restricted. the second one
> is very interesting but still not very useful because it acts like
> about:blank. hmmm it seams that the hostname field has been seriously
> overlooked.

Just a heads up: the first one turned out to be quite useful as a method
to bypass anti-UI-spoofing measures in Firefox (see my last non-reply post
to BUGTRAQ).

The second one is interesting in that it allows to cripple browser's
native XUL / JS while still retaining some of its privileges, and to
interfere with how other sites' scripts are executed. I have a feeling
this can be turned into an exploitation vector, but I haven't had a chance
to familiarize myself with that part of FF codebase. I posted a more
detailed analysis to Bugzilla:

  https://bugzilla.mozilla.org/show_bug.cgi?id=370445#c41

...a quick demo of how wrong things can go is here (bogus .exe is being
served):

  http://lcamtuf.coredump.cx/tx/

The third testcase I posted is not a significant security problem, and the
fourth - probably merely a performance issue (though there is some
disagreement between developers).

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/