There seems to be some confusion regarding the exact impact of the
location.hostname vulnerability, and the ways to protect against it. I
wanted to offer a quick clarification.
1) Cookie setting (session fixation) attacks can be executed universally
and with no restrictions. This is
On 2/15/07, Michal Zalewski [EMAIL PROTECTED] wrote:
[...on other potential Firefox flaws...]
I did not research them any further, so I can't say if they're
exploitable - but you can see a demo here, feel free to poke around:
http://lcamtuf.coredump.cx/fftests.html
On Thu, 15 Feb 2007,
very good work
I wander whether we can execute code on about:config or about:cache.
Right now we can only modify cookies and bypass the same origin
policy. If we can get JavaScript running on about:cache or
about:config or some chrome URL, we might be able to completely hijack
the browser.
If
This vuln is not exploitable in this condition against IIS server 6
and possibly earlier versions. IIS will die on the null character in
the new request. It doesn't seem like anyone has brought up this
fact.
Example (IIS): location.hostname='microsoft.com\x00www.coredump.cx';
Output:
Dear Michal Zalewski,
Mitigating factor: it doesn't work through proxy, because for proxy URI
is sent instead of URL and request will be incomplete.
GET http://evil.com
--Thursday, February 15, 2007, 1:23:01 AM, you wrote to [EMAIL PROTECTED]:
MZ 'evil.com\x00foo.example.com' to be a part
On Thu, 15 Feb 2007, 3APA3A wrote:
Mitigating factor: it doesn't work through proxy, because for proxy URI
is sent instead of URL and request will be incomplete.
Yup. Depends on the proxy, actually ('GET http://evil.com' might get
parsed as HTTP/0.9) - but Squid, both in direct and in reverse
On Thu, 15 Feb 2007, pdp (architect) wrote:
I wander whether we can execute code on about:config or about:cache.
Actually, there are several odd problems related to location updates and
location.hostname specifically, including one scenario that apparently
makes the script run with
On 2/15/07, Michal Zalewski [EMAIL PROTECTED] wrote:
Actually, there are several odd problems related to location updates and
location.hostname specifically, including one scenario that apparently
makes the script run with document.location in about: namespace.
I did not research them any
the first one runs in about:blank which is restricted. the second one
is very interesting but still not very useful because it acts like
about:blank. hmmm it seams that the hostname field has been seriously
overlooked.
On 2/15/07, Michal Zalewski [EMAIL PROTECTED] wrote:
On Thu, 15 Feb 2007, pdp
weird, firefox slowly dies out
t2.html
html
body
iframe src=t1.html/iframe
/body
/html
t1.html
html
body
scriptlocation.hostname=blog.com;/script
/body
/html
On 2/15/07, pdp (architect) [EMAIL PROTECTED] wrote:
the first one runs
There is a serious vulnerability in Mozilla Firefox, tested with 2.0.0.1,
but quite certainly affecting all recent versions.
The problem lies in how Firefox handles writes to the 'location.hostname'
DOM property. It is possible for a script to set it to values that would
not otherwise be accepted
https://bugzilla.mozilla.org/show_bug.cgi?id=370445
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Ben Bucksch wrote:
https://bugzilla.mozilla.org/show_bug.cgi?id=370445
___
Full-Disclosure - We believe in it.
Hi Ben,
Are we going to see a version 2.0.0.2 of Firefox soon? With all the
Firefox bugs, we are about due.
--
Hawaiian
Peter Besenbruch wrote:
Ben Bucksch wrote:
https://bugzilla.mozilla.org/show_bug.cgi?id=370445
Are we going to see a version 2.0.0.2 of Firefox soon? With all the
Firefox bugs, we are about due.
A 2.0.0.2 is in progress
http://weblogs.mozillazine.org/qa/
Great i cannot wait!
On 2/14/07, Daniel Veditz [EMAIL PROTECTED] wrote:
Peter Besenbruch wrote:
Ben Bucksch wrote:
https://bugzilla.mozilla.org/show_bug.cgi?id=370445
Are we going to see a version 2.0.0.2 of Firefox soon? With all the
Firefox bugs, we are about due.
A 2.0.0.2 is in
15 matches
Mail list logo