| To: | "Michal Zalewski" <lcamtuf@dione.ids.pl> |
|---|---|
| Subject: | Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability |
| From: | "pdp (architect)" <pdp.gnucitizen@googlemail.com> |
| Date: | Thu, 22 Feb 2007 13:12:02 +0000 |
| Cc: | bugtraq@securityfocus.com, security@mozilla.org, full-disclosure@lists.grok.org.uk |
| Delivered-to: | sp-com-lists@consult.net |
| Delivered-to: | bugtraq-list@securepoint.com |
| Delivered-to: | mailing list bugtraq@securityfocus.com |
| Delivered-to: | moderator for bugtraq@securityfocus.com |
| Dkim-signature: | a=rsa-sha1; c=relaxed/relaxed; d=googlemail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WgPLaesigfxkGMBAMP2rhE5e+yprPX6oU6InqSv2UWpWMRTK/PS2vFpv0L7ituNduP1yo68AuXZca2l2VJp6y8RmoDt+RYIdL1N8S5sAzZ2RoDB04d+5+4sNtwCFA43SYrbIQ5P12W+xENh0cG18UFsnQ5zxP2Wq3uo1ub6IgKo= |
| Domainkey-signature: | a=rsa-sha1; c=nofws; d=googlemail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DNQhr7C7SjAXR7veSeiu/bvi2h7canWEE6bRbLqCj4flgRPjax9xurbpX8Ej7Gnec6+AJALFcA8EBz5jL/jShyyXSXV+h/I5O7WkV2bK5KScgXOJ2JuKLOCtPBniI/caF+ZXQusmCEPglvCZyhLEdvytUbCLzfXwmzLxBWFJZWw= |
| In-reply-to: | <Pine.LNX.4.58.0702220146180.6282@dione> |
| List-help: | <mailto:bugtraq-help@securityfocus.com> |
| List-id: | <bugtraq.list-id.securityfocus.com> |
| List-post: | <mailto:bugtraq@securityfocus.com> |
| List-subscribe: | <mailto:bugtraq-subscribe@securityfocus.com> |
| List-unsubscribe: | <mailto:bugtraq-unsubscribe@securityfocus.com> |
| Mailing-list: | contact bugtraq-help@securityfocus.com; run by ezmlm |
| References: | <Pine.LNX.4.58.0702220046430.6282@dione> <6905b1570702211617k183d9260i9e00ed6f80accd73@mail.gmail.com> <Pine.LNX.4.58.0702220146180.6282@dione> |
This vulnerability is cute but not very useful mainly because a lot of social engineering is required. However, here is an interesting thought for you: instead of asking the user into bookmarking a page you can supply the bookmark directly to their browser by using Live Bookmarks. So, a mainstream attack will be when a SPLOG network injects malicious links into their feeds. If someone happens to be subscribed to this network with a Live Bookmark and they click on it... well you know. I haven't tested this, although it should work. So, although I would rate this issue as low risk, it could as well be quite high or at least medium. cheers On 2/22/07, Michal Zalewski <lcamtuf@dione.ids.pl> wrote: On Thu, 22 Feb 2007, pdp (architect) wrote: > michal, is that a feature or a bug? maybe it is not obivous to me what > you are doing but it i feel that it is almost like asking the user to > bookmark a bookmarklet. Bookmarklets should be bookmarkable only manually, with user knowledge and consent (that is, you need to copy-and-paste the URL, etc). This seems to be the case for javascript: URLs. Here, the situation is different: the user can, and quite likely will, unknowingly bookmark a script while attempting to bookmark a regular page via Ctrl-D + <return>. He doesn't expect or want this code to later run in the context of his start page or any other resource (principle of least astonishment, etc, etc). Cheers, /mz -- pdp (architect) | petko d. petkov http://www.gnucitizen.org |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Firefox bookmark cross-domain surfing vulnerability, Michal Zalewski |
|---|---|
| Next by Date: | Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability, pdp (architect) |
| Previous by Thread: | Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability, Michal Zalewski |
| Next by Thread: | Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability, Michal Zalewski |
| Indexes: | [Date] [Thread] [Top] [All Lists] |