Mozilla Firefox window.location Referer Spoofing

November 26th, 2007

Firefox 2.0.0.10 has been released.

Included in the update is a fix for the window.location race condition security vulnerability that I discovered. By abusing the race condition, it is possible to spoof referer values. This is a pretty powerful technique when performing cross-site request forgery (CSRF). The only challenge is that an alert, confirm or prompt modal dialog needs to be displayed for the race condition to be exploitable. That is where some social engineering skills may come in handy.

A more detailed discussion and demonstration.

Posted by gfleischer on 2007/11/26 at 21:51 in Vulnerabilities

Another Firefox Focus File Stealing Bug

November 20th, 2007

Well, another Firefox focus file stealing bug has been reported. Let's see. That took a little over a month since the problem was supposedly resolved in Firefox 2.0.0.8.

Originally reported to Bugzilla by "tha featurizer" based on http://www.0x000000.com/index.php?i=479.

Firefox 3 can't come soon enough. The focus issue should finally be resolved given that the text entry box on the File input element is no longer accessible. That is probably less than desirable from a usability perspective, but I think the security implications definitely override any usability concerns.

I've submitted a sample exploit to Bugzilla. Once the exploit is made public I'll post an online version.

Posted by gfleischer on 2007/11/20 at 00:13 in Vulnerabilities
« Previous Page | First Page | Home
Subscribe
RSS 2.0
Quick Links
Content
Info
Categories
Archives
Sitemap
Valid XHTML 1.0 Transitional Valid CSS!