Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain byp

from [pdp (architect)] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
Date: Thu, 15 Feb 2007 15:25:12 +0000 
weird, firefox slowly dies out

t2.html
<html>
        <body>
                <iframe src="t1.html"></iframe>
        </body>
</html>

t1.html
<html>
        <body>
                <script>location.hostname="blog.com";</script>
        </body>
</html>


On 2/15/07, pdp (architect) <pdp.gnucitizen@googlemail.com> wrote:

the first one runs in about:blank which is restricted. the second one
is very interesting but still not very useful because it acts like
about:blank. hmmm it seams that the hostname field has been seriously
overlooked.

On 2/15/07, Michal Zalewski <lcamtuf@dione.ids.pl> wrote:

On Thu, 15 Feb 2007, pdp (architect) wrote:


I wander whether we can execute code on about:config or about:cache.


Actually, there are several odd problems related to location updates and
location.hostname specifically, including one scenario that apparently
makes the script run with document.location in about: namespace.

I did not research them any further, so I can't say if they're
exploitable - but you can see a demo here, feel free to poke around:

  http://lcamtuf.coredump.cx/fftests.html

Cheers,
/mz
http://lcamtuf.coredump.cx/




--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org




-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability, pdp (architect)
Next by Date:  [Full-disclosure] Drive-by Pharming, Oliver Friedrichs
Previous by Thread:  Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability, pdp (architect)
Next by Thread:  Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability, Base64
Indexes:  [Date] [Thread] [Top] [All Lists]