SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Browser)  >  Mozilla Firefox Vendors:  Mozilla.org
Mozilla Firefox Lets Remote Users Inject Arbitrary Content into 'about:blank' Windows
SecurityTracker Alert ID:  1018412
SecurityTracker URL:  http://securitytracker.com/id?1018412
CVE Reference:  CVE-2007-3089   (Links to External Site)
Date:  Jul 18 2007
Impact:  Modification of user information
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Advisory:  Mozilla Foundation Security Advisory
Version(s): 2.0 - 2.0.0.4
Description:  A vulnerability was reported in Mozilla Firefox. A remote user can spoof the contents of loading windows.

A remote user can inject arbitrary content into an 'about:blank' frame when the new window is opened via a script. This allows the user to spoof the contents of a window while the window is loading.

A demonstration exploit is available at:

http://lcamtuf.coredump.cx/ifsnatch/

The vendor credits Ronen Zilberman and Michal Zalewski with separately reporting this vulnerability.
Impact:  A remote user can spoof the contents of a new window while the window is loading.
Solution:  The vendor has issued a fixed version (2.0.0.5).

The Mozilla advisory is available at:

http://www.mozilla.org/security/announce/2007/mfsa2007-20.html
Vendor URL:  www.mozilla.org/security/announce/2007/mfsa2007-20.html (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Michal Zalewski <lcamtuf@dione.ids.pl>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 19 2007 (Red Hat Issues Fix) Mozilla Firefox Lets Remote Users Inject Arbitrary Content into 'about:blank' Windows   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 4 and 5.


 Source Message Contents
Date:  Mon Jun 04 2007 - 06:02:40 CDT
From:  Michal Zalewski <lcamtuf@dione.ids.pl>
Subject:  [Full-disclosure] Assorted browser vulnerabilities

 
Hello,
 
Will keep it brief. A couple of browser bugs, fresh from the oven, hand
crafted with love:
 
1) Title : MSIE page update race condition (CRITICAL)
   Impact : cookie stealing / setting, page hijacking, memory corruption
   Demo : http://lcamtuf.coredump.cx/ierace/
 
   ...aka the bait & switch vulnerability.
 
   When Javascript code instructs MSIE6/7 to navigate away from a page
   that meets same-domain origin policy (and hence can be scriptually
   accessed and modified by the attacker) to an unrelated third-party
   site, there is a window of opportunity for concurrently executed
   Javascript to perform actions with the permissions for the old page,
   but actual content for the newly loaded page, for example:
 
     - Read or set victim.document.cookie,
 
     - Arbitrarily alter document DOM, including changing form submission
       URLs, injecting code,
 
     - Read or write DOM structures that were not fully initialized,
       prompting memory corruption and browser crash.
 
   This is tested on MSIE6 and MSIE7, fully patched.
 
2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
   Impact : keyboard snooping, content spoofing, etc
   Demo : http://lcamtuf.coredump.cx/ifsnatch/
   Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=382686 [May 30]
 
   Javascript can be used to inject malicious code, including key-snooping
   event handlers, on pages that rely on IFRAMEs to display contents or
   store state data / communicate with the server.
 
   This is related to a less severe variant independently reported by
   Ronen Zilberman two weeks earlier (bug 381300).
 
3) Title : Firefox file prompt delay bypass (MEDIUM)
   Impact : non-consentual download or execution of files
   Demo : http://lcamtuf.coredump.cx/ffclick2/
   Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=376473 [Apr 04]
 
   A sequence of blur/focus operations can be used to bypass delay timers
   implemented on certain Firefox confirmation dialogs, possibly enabling
   the attacker to download or run files without user's knowledge or
   consent.
 
3) Title : MSIE6 URL bar spoofing (MEDIUM)
   Impact : mimicking an arbitrary site, possibly including SSL data
   Demo : http://lcamtuf.coredump.cx/ietrap2/
 
   MSIE6 vulnerability, similar but unrelated to my earlier onUnload
   entrapment flaw, allows sites to spoof URL bar data.
 
   MSIE7 is not affected because of certain high-level changes in the
   browser.
 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC