Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] RE: Firelinking [Firefox 1.0.2]

from [Scovetta, Michael V] Network Security [Permanent Link]
Subject: [Full-disclosure] RE: Firelinking [Firefox 1.0.2]
Date: Mon, 18 Apr 2005 12:08:20 -0400 
I can confirm that the POC works on 1.0.2 and does not work on 1.0.3.


Michael Scovetta
Computer Associates
Senior Application Developer

-----Original Message-----
From: mikx [mailto:mikx@mikx.de] 
Sent: Monday, April 18, 2005 6:59 AM
To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com;
NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Firelinking [Firefox 1.0.2]

__Notice

I really wonder why the Mozilla Foundation decided to release a serious 
security update on a friday night and to disclose the link to my 
proof-of-concept code so quickly. It wasn't intendet from my side to
release 
this as a 0day exploit. Please complain to security@mozilla.org if you 
disagree with their release policy.

__Summary

The link tag allows to load a custom image as the icon for a website, 
displayed in the location bar and in the tab title.

By setting the href attribute of this tag to a javascript url, it is 
possible to call chrome functions and run arbitrary code without user 
interaction.

__Proof-of-Concept

http://www.mikx.de/firelinking/

__Status

The bug is fixed in Firefox 1.0.3. Disable Javascript as a workaround.

2005-04-12 Vendor informed (bugzilla.mozilla.org #290036)
2005-04-12 Vendor confirmed bug
2005-04-15 Vendor published fix, advisory and link to PoC (mfsa2005-37)
2005-04-18 This advisory

__Affected Software

Tested with Firefox 1.0.2

__Contact Informations

Michael Krax <mikx@mikx.de>
http://www.mikx.de/?p=15

mikx






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] RE: Firelinking [Firefox 1.0.2], Scovetta, Michael V <=
Previous by Date:  [Full-disclosure] Firelinking [Firefox 1.0.2], mikx
Next by Date:  [Full-disclosure] - Argeniss - Oracle exploits and workarounds, Cesar
Previous by Thread:  [Full-disclosure] Firelinking [Firefox 1.0.2], mikx
Next by Thread:  [Full-disclosure] - Argeniss - Oracle exploits and workarounds, Cesar
Indexes:  [Date] [Thread] [Top] [All Lists]