On 2/15/07, Michal Zalewski <[EMAIL PROTECTED]> wrote: >> [...on other potential Firefox flaws...] >> >> I did not research them any further, so I can't say if they're >> exploitable - but you can see a demo here, feel free to poke around: >> >> http://lcamtuf.coredump.cx/fftests.html
On Thu, 15 Feb 2007, pdp (architect) wrote: > the first one runs in about:blank which is restricted. the second one > is very interesting but still not very useful because it acts like > about:blank. hmmm it seams that the hostname field has been seriously > overlooked. Just a heads up: the first one turned out to be quite useful as a method to bypass anti-UI-spoofing measures in Firefox (see my last non-reply post to BUGTRAQ). The second one is interesting in that it allows to cripple browser's native XUL / JS while still retaining some of its privileges, and to interfere with how other sites' scripts are executed. I have a feeling this can be turned into an exploitation vector, but I haven't had a chance to familiarize myself with that part of FF codebase. I posted a more detailed analysis to Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=370445#c41 ...a quick demo of how wrong things can go is here (bogus .exe is being served): http://lcamtuf.coredump.cx/tx/ The third testcase I posted is not a significant security problem, and the fourth - probably merely a performance issue (though there is some disagreement between developers). /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/