Firefox: onUnload tailgating (MSIE7 entrapment bug variant)

bugtraq

Firefox: onUnload tailgating (MSIE7 entrapment bug variant)

To:	bugtraq@securityfocus.com
Subject:	Firefox: onUnload tailgating (MSIE7 entrapment bug variant)
From:	Michal Zalewski <lcamtuf@dione.ids.pl>
Date:	Fri, 23 Feb 2007 13:49:41 +0100 (CET)
Cc:	full-disclosure@lists.grok.org.uk, security@mozilla.org
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	bugtraq-list@securepoint.com
Delivered-to:	mailing list bugtraq@securityfocus.com
Delivered-to:	moderator for bugtraq@securityfocus.com
In-reply-to:	<Pine.LNX.4.58.0702230223340.21707@dione>
List-help:	<mailto:bugtraq-help@securityfocus.com>
List-id:	<bugtraq.list-id.securityfocus.com>
List-post:	<mailto:bugtraq@securityfocus.com>
List-subscribe:	<mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list:	contact bugtraq-help@securityfocus.com; run by ezmlm
References:	<Pine.LNX.4.58.0702230223340.21707@dione>

On Fri, 23 Feb 2007, Michal Zalewski wrote:

> Firefox isn't outright vulnerable to this problem, but judging from its
> behavior, it is likely to be susceptible to a variant of this bug

And indeed, susceptible it is. On the surface, the problem is even more
serious: the unloaded page can run Javascript in the context of a newly
loaded one.  Fortunately, at the time this is possible, 'document' and
'window' DOM hierarchies are not accessible - but then, 'location' is.
With a bit of clever trickery, we can mount the following attack:

  http://lcamtuf.coredump.cx/ietrap/ff/

As shown there, the problem is less serious than MSIE7 full-scale
Matrix-esque entrapment, but nevertheless - the bug is a cool one. And I
have a gut feeling this Javascript page jumping can be turned into
something nasty.

Bugzilla:
  https://bugzilla.mozilla.org/show_bug.cgi?id=371360

/mz

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
MSIE7 browser entrapment vulnerability (probably Firefox, too), Michal Zalewski Firefox: onUnload tailgating (MSIE7 entrapment bug variant), Michal Zalewski <= Re: MSIE7 browser entrapment vulnerability (probably Firefox, too), Jeffrey Katz Re: MSIE7 browser entrapment vulnerability (probably Firefox, too), Michal Zalewski RE: MSIE7 browser entrapment vulnerability (probably Firefox, too), perpetualmotionuk

Previous by Date:	iDefense Security Advisory 02.22.07: IBM DB2 Universal Database DB2INSTANCE File Creation Vulnerability, iDefense Labs
Next by Date:	Re: [Full-disclosure] Firefox Cache Hack - Firefox History Hack redux, Ben Bucksch
Previous by Thread:	MSIE7 browser entrapment vulnerability (probably Firefox, too), Michal Zalewski
Next by Thread:	Re: MSIE7 browser entrapment vulnerability (probably Firefox, too), Jeffrey Katz
Indexes:	[Date] [Thread] [Top] [All Lists]