Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
From: Richard Moore (richwestpoint.ltd.uk)
Date: Tue Feb 27 2007 - 07:19:08 CST
Michal Zalewski wrote:
> I can't really comment on whether
> this fixes the problem once and for all, because I haven't really examined
> the changes implemented for 364692, but yeah, my example no longer crashes
> the browser for me.
I think there are still underlying problems in the code as the
1. Put this in a web page, then view it in firefox.
<body onunload="location = self.location">
2. Click on the link which should take you to slashdot and you'll end
up back where you were (this has been known about for ages).
3. Now do 'View Source' and you get shown the sourcecode to slashdot
rather than the source code for the page you're viewing.
View source displays the contents of the wrong site
I'd expect to see the source code for the page I'm viewing.
A web page could trigger the link itself using DOM events (or naviagate
the source code of a malicious page from the user. I did a quick check
that document.cookie wasn't chcking the wrong URL, but I have not
checked extensively which other parts of the browser can be spoofed
in this fashion.
I reported this via bugzilla, but it was closed as a duplicate of bug
253497 which was reported in 2004.
Richard Moore, Principal Software Engineer,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/