<<< Date Index >>>     <<< Thread Index >>>

Re: Browser bugs hit IE, Firefox today (SANS)



Alex Potter wrote:

http://isc.sans.org/diary.php?storyid=1448 - update says "After doing more research on this vulnerability and with great help from our readers (thanks to Dan and another reader) it seems that Mozilla Firefox is not affected by this vulnerability."
Firefox might not be directly affected by this vulnerability, but it does remind me of inconsistencies in how the security context of an object is handled inside Firefox.

Ordinarily, when you have a window object containing a document from a thirdparty domain, such as <iframe id="thirdparty" src="http://google.com";></iframe>, you are not allowed to reference any kind of objects inside this window. Using a DOM 0 approach, window.frames[0].contentDocument will give you a security exception. However, reading the contentDocument property of the DOM element instead of the through the frames collection will give you a reference to the document object inside the thirdparty domain and even allow you to overwrite native DOM methods without throwing a security exception, such as document.getElementById("thirdparty").contentDocument.getElementById=function(s){alert(s)}. This also holds true for window.frames[0].document.getElementsByTagName and any other methods on the document object.

Functionally, the document and contentDocument properties both reference the same object and should obey the same security context rules, however Firefox differentiates based on how you reference that object and thus allows you to overwrite native DOM methods on a thirdparty domain, broadening the potential attack scope by allowing you to interfere with the operations of existing script code inside that thirdparty document.

--
Thor Larholm
PolyPath, CSO