Mozilla Firefox cross domain access updated since 15.02.2007
Published:		27.02.2007
Source:		BUGTRAQ
SecurityVulns ID:		7238
Type:		client
Level:		8/10
Description:		By using location.hostname='evil.com\x00foo.example.com' in javascript it's possible to make request for foo.example.com domain to be sent to evil.com. It makes it possible cross-domain access. Vulnerability can be used for hidden malware installation.

Affected:		MOZILLA : Firefox 2.0
CVE:		CVE-2007-1084 (Mozilla Firefox 2.0.0.1 and earlier does not prompt users before saving bookmarklets, which allows remote attackers to bypass the same-domain policy by tricking a user into saving a bookmarklet with a data: scheme, which is executed in the context of the last visited web page.)
		CVE-2007-1004 (Mozilla Firefox might allow remote attackers to conduct spoofing and phishing attacks by writing to an about:blank tab and overlaying the location bar.)
		CVE-2007-0981 (Mozilla based browsers, including Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8, allow remote attackers to bypass the same origin policy, steal cookies, and conduct other attacks by writing a URI with a null byte to the hostname (location.hostname) DOM property, due to interactions with DNS resolver code.)

Original document		MOZILLA, Mozilla Foundation Security Advisory 2007-07 (27.02.2007)
		Michal Zalewski, [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability (22.02.2007)
		Michal Zalewski, Firefox: about:blank is phisher's best friend (18.02.2007)
		Michal Zalewski, Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability (15.02.2007)
		Michal Zalewski, Firefox: serious cookie stealing / same-domain bypass vulnerability (15.02.2007)

Discuss:

Read or add your comments to this news (0 comments)