On 2/15/07, Michal Zalewski <lcamtuf@dione.ids.pl> wrote:
[...on other potential Firefox flaws...]
I did not research them any further, so I can't say if they're
exploitable - but you can see a demo here, feel free to poke around:
http://lcamtuf.coredump.cx/fftests.html
On Thu, 15 Feb 2007, pdp (architect) wrote:
the first one runs in about:blank which is restricted. the second one
is very interesting but still not very useful because it acts like
about:blank. hmmm it seams that the hostname field has been seriously
overlooked.
Just a heads up: the first one turned out to be quite useful as a method
to bypass anti-UI-spoofing measures in Firefox (see my last non-reply post
to BUGTRAQ).
The second one is interesting in that it allows to cripple browser's
native XUL / JS while still retaining some of its privileges, and to
interfere with how other sites' scripts are executed. I have a feeling
this can be turned into an exploitation vector, but I haven't had a chance
to familiarize myself with that part of FF codebase. I posted a more
detailed analysis to Bugzilla:
https://bugzilla.mozilla.org/show_bug.cgi?id=370445#c41
...a quick demo of how wrong things can go is here (bogus .exe is being
served):
http://lcamtuf.coredump.cx/tx/
The third testcase I posted is not a significant security problem, and the
fourth - probably merely a performance issue (though there is some
disagreement between developers).
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
