|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 2264 CVE : CVE-2007-1004 SecurityRisk : Low  (About) Remote Exploit : Yes Local Exploit : Yes Exploit Available : Yes Credit : Michal Zalewski Published : 21.02.2007
Advisory Content : Firefox suffers from a design flaw that can be used to confuse casual users and evoke a false sense of authority when visiting a fraudulent website. The flaw can be also used to bypass a fix for an old UI spoofing bug that was thought to be addressed. This is a relatively minor issue, but I thought it's worth reporting. It is possible for a script to open 'about:blank' URL in a new tab; this tab will be opened with a blank address bar (the behavior is different for new windows, where the bar will be grayed out or hidden). The script can then interact with this document as if it were a page in the same domain, including the ability to inject of custom HTML. Some methods of adding this HTML, such as win.document.write(), will update document.location and the address bar to that of the interacting script, which seems like an intuitive choice - the user is informed about the origin of the displayed data. Since about:blank is a minimal but valid HTML document with a DOM structure, it is also possible to inject code through the use of win.document.body.appendChild() and friends, in which case, the URL bar remains blank, the 'reload' button is disabled, and 'page info' / 'page source' menu options will show no useful data. Having text displayed in a window that has an empty URL bar can confuse the user as to the origin of the displayed data or security prompts, as if they were internal browser messages; an empty address bar is considerably less suspicious than a shady host name or a panic-inducing data: URL scheme. Furthermore, there was an old UI spoofing bug - when a window was opened without URL bar and menus, the attacker could use strategically placed graphics and HTML controls (or XUL code), so that the fake URL bar read "google.com", while an IFRAME below could display "zombo.com" instead. Similarly, he could spoof a native browser-originating modal warning or dialog to have the user do something dumb. This problem was addressed by forcibly prepending current site name to window title for all URL-bar-less windows, so that the Internet origin of such a pop-up is clear, and so that it will have a hard time mimicking a native window. The problem is that 'about:blank' windows that have no document.location defined can be used to inhibit this behavior - window title can be freely controlled, except for the appended ' - Mozilla Firefox' string, and spoof browser UI elements without the user having a reason to be suspicious. A quick if naive demonstration of the two attacks described here can be found at this URL: http://lcamtuf.coredump.cx/ffblank/ [ Note that I simply used a screenshot of my UI, which is a non-standard one, and the image is not compensated for other screen resolutions etc; as such, you should be able to see that the URL bar is unusual and non-interactive; that's not a limitation of this attack, but rather, an unloved bastard child of my sheer laziness. ] <rant> PS. On an unrelated note - in 2004, people began to notice that these nifty yellow security notification bars that appear on the top of MSIE7 and FF windows can be trivially spoofed by a webpage ("A plugin is required to display this content." / "An update to Firefox is available"), proving that placing messages in a script-accessible region of the window was a terrible, terrible design decision. These problems were not fixed, but rather dismissed as a user responsibility (to do what exactly, learn all legitimate notices and tell them from fakes?). What the hell? </rant> Cheers, /mz http://lcamtuf.coredump.cx Update : ----------------------------------- On Sat, 17 Feb 2007 zonafirefox (at) gmail (dot) com [email concealed] wrote: > I tested it in IE7 and has the same problem. Opera 9.10 blocks the > opening of the new window but fails in the second button. With MSIE7, it is possible only if you check 'Allow websites to open windows without address or status bar' for that particular zone; otherwise, all windows will have a minimal URL bar attached. I'm not sure whether this setting is default - if it is, yeah, that'd be bad for MSIE. As far as Opera is concerned - by default, Javascript can't hide address bars, and if you change this option, the originating URL is still displayed. /mz ---------------------------  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |