ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: Assorted browser vulnerabilities



> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf 
> Of Michal Zalewski
> Sent: Monday, June 04, 2007 3:03 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] Assorted browser vulnerabilities
> 
> Hello,
> 
> Will keep it brief. A couple of browser bugs, fresh from the 
> oven, hand
> crafted with love:
> 
> 1) Title    : MSIE page update race condition (CRITICAL)
>    Impact   : cookie stealing / setting, page hijacking, 
> memory corruption
>    Demo     : http://lcamtuf.coredump.cx/ierace/
> 
>    ...aka the bait & switch vulnerability.
> 
>    When Javascript code instructs MSIE6/7 to navigate away from a page
>    that meets same-domain origin policy (and hence can be scriptually
>    accessed and modified by the attacker) to an unrelated third-party
>    site, there is a window of opportunity for concurrently executed
>    Javascript to perform actions with the permissions for the 
> old page,
>    but actual content for the newly loaded page, for example:
> 
>      - Read or set victim.document.cookie,
> 
>      - Arbitrarily alter document DOM, including changing 
> form submission
>        URLs, injecting code,
> 
>      - Read or write DOM structures that were not fully initialized,
>        prompting memory corruption and browser crash.
> 
>    This is tested on MSIE6 and MSIE7, fully patched.
> 
> 2) Title    : Firefox Cross-site IFRAME hijacking (MAJOR)
>    Impact   : keyboard snooping, content spoofing, etc
>    Demo     : http://lcamtuf.coredump.cx/ifsnatch/
>    Bugzilla : 
> https://bugzilla.mozilla.org/show_bug.cgi?id=382686 [May 30]
> 
>    Javascript can be used to inject malicious code, including 
> key-snooping
>    event handlers, on pages that rely on IFRAMEs to display 
> contents or
>    store state data / communicate with the server.
> 
>    This is related to a less severe variant independently reported by
>    Ronen Zilberman two weeks earlier (bug 381300).
> 
> 3) Title    : Firefox file prompt delay bypass (MEDIUM)
>    Impact   : non-consentual download or execution of files
>    Demo     : http://lcamtuf.coredump.cx/ffclick2/
>    Bugzilla : 
> https://bugzilla.mozilla.org/show_bug.cgi?id=376473 [Apr 04]
> 
>    A sequence of blur/focus operations can be used to bypass 
> delay timers
>    implemented on certain Firefox confirmation dialogs, 
> possibly enabling
>    the attacker to download or run files without user's knowledge or
>    consent.
> 
> 3) Title    : MSIE6 URL bar spoofing (MEDIUM)
>    Impact   : mimicking an arbitrary site, possibly including SSL data
>    Demo     : http://lcamtuf.coredump.cx/ietrap2/
> 
>    MSIE6 vulnerability, similar but unrelated to my earlier onUnload
>    entrapment flaw, allows sites to spoof URL bar data.
> 
>    MSIE7 is not affected because of certain high-level changes in the
>    browser.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 



 




Copyright © Lexa Software, 1996-2009.