There seems to be some confusion regarding the exact impact of the
location.hostname vulnerability, and the ways to protect against it. I
wanted to offer a quick clarification.
1) Cookie setting (session fixation) attacks can be executed universally
and with no restrictions. This is demonst
On 2/15/07, Michal Zalewski <[EMAIL PROTECTED]> wrote:
>> [...on other potential Firefox flaws...]
>>
>> I did not research them any further, so I can't say if they're
>> exploitable - but you can see a demo here, feel free to poke around:
>>
>> http://lcamtuf.coredump.cx/fftests.html
On Thu, 1
This vuln is not exploitable in this condition against IIS server 6
and possibly earlier versions. IIS will die on the null character in
the new request. It doesn't seem like anyone has brought up this
fact.
Example (IIS): location.hostname='microsoft.com\x00www.coredump.cx';
Output:
microsoft.
very good work
I wander whether we can execute code on about:config or about:cache.
Right now we can only modify cookies and bypass the same origin
policy. If we can get JavaScript running on about:cache or
about:config or some chrome URL, we might be able to completely hijack
the browser.
If tha
weird, firefox slowly dies out
t2.html
t1.html
location.hostname="blog.com";
On 2/15/07, pdp (architect) <[EMAIL PROTECTED]> wrote:
> the first one runs in about:blank which is restricted. the second one
> is very interest
the first one runs in about:blank which is restricted. the second one
is very interesting but still not very useful because it acts like
about:blank. hmmm it seams that the hostname field has been seriously
overlooked.
On 2/15/07, Michal Zalewski <[EMAIL PROTECTED]> wrote:
> On Thu, 15 Feb 2007, p
On 2/15/07, Michal Zalewski <[EMAIL PROTECTED]> wrote:
> Actually, there are several odd problems related to location updates and
> location.hostname specifically, including one scenario that apparently
> makes the script run with document.location in about: namespace.
>
> I did not research them a
On Thu, 15 Feb 2007, pdp (architect) wrote:
> I wander whether we can execute code on about:config or about:cache.
Actually, there are several odd problems related to location updates and
location.hostname specifically, including one scenario that apparently
makes the script run with document.loc
On Thu, 15 Feb 2007, 3APA3A wrote:
> Mitigating factor: it doesn't work through proxy, because for proxy URI
> is sent instead of URL and request will be incomplete.
Yup. Depends on the proxy, actually ('GET http://evil.com' might get
parsed as HTTP/0.9) - but Squid, both in direct and in revers
Dear Michal Zalewski,
Mitigating factor: it doesn't work through proxy, because for proxy URI
is sent instead of URL and request will be incomplete.
GET http://evil.com
--Thursday, February 15, 2007, 1:23:01 AM, you wrote to [EMAIL PROTECTED]:
MZ> 'evil.com\x00foo.example.com' to be a part
Great i cannot wait!
On 2/14/07, Daniel Veditz <[EMAIL PROTECTED]> wrote:
Peter Besenbruch wrote:
> Ben Bucksch wrote:
>> https://bugzilla.mozilla.org/show_bug.cgi?id=370445
>
> Are we going to see a version 2.0.0.2 of Firefox soon? With all the
> Firefox bugs, we are about due.
A 2.0.0.2 is i
Peter Besenbruch wrote:
> Ben Bucksch wrote:
>> https://bugzilla.mozilla.org/show_bug.cgi?id=370445
>
> Are we going to see a version 2.0.0.2 of Firefox soon? With all the
> Firefox bugs, we are about due.
A 2.0.0.2 is in progress
http://weblogs.mozillazine.org/qa/
_
Ben Bucksch wrote:
> https://bugzilla.mozilla.org/show_bug.cgi?id=370445
>
> ___
> Full-Disclosure - We believe in it.
Hi Ben,
Are we going to see a version 2.0.0.2 of Firefox soon? With all the
Firefox bugs, we are about due.
--
Hawaiian Astronom
https://bugzilla.mozilla.org/show_bug.cgi?id=370445
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
There is a serious vulnerability in Mozilla Firefox, tested with 2.0.0.1,
but quite certainly affecting all recent versions.
The problem lies in how Firefox handles writes to the 'location.hostname'
DOM property. It is possible for a script to set it to values that would
not otherwise be accepted
15 matches
Mail list logo