BugTraq
Browser bugs hit IE, Firefox today (SANS) Jun 30 2006 12:17AM
Bill Stout (bill stout greenborder com) (1 replies)
Re: Browser bugs hit IE, Firefox today (SANS) Jun 30 2006 05:19PM
Alex Potter (alex ap-consulting co uk) (1 replies)
Re: Browser bugs hit IE, Firefox today (SANS) Jul 04 2006 11:24AM
Thor Larholm (thor polypath com) (2 replies)
Alex Potter wrote:

>http://isc.sans.org/diary.php?storyid=1448 - update says
>
>"After doing more research on this vulnerability and with great help from our
>readers (thanks to Dan and another reader) it seems that Mozilla Firefox is
>not affected by this vulnerability."
>
>
Firefox might not be directly affected by this vulnerability, but it
does remind me of inconsistencies in how the security context of an
object is handled inside Firefox.

Ordinarily, when you have a window object containing a document from a
thirdparty domain, such as <iframe id="thirdparty"
src="http://google.com"></iframe>, you are not allowed to reference any
kind of objects inside this window. Using a DOM 0 approach,
window.frames[0].contentDocument will give you a security exception.
However, reading the contentDocument property of the DOM element instead
of the through the frames collection will give you a reference to the
document object inside the thirdparty domain and even allow you to
overwrite native DOM methods without throwing a security exception, such
as
document.getElementById("thirdparty").contentDocument.getElementById=fun
ction(s){alert(s)}.
This also holds true for window.frames[0].document.getElementsByTagName
and any other methods on the document object.

Functionally, the document and contentDocument properties both reference
the same object and should obey the same security context rules, however
Firefox differentiates based on how you reference that object and thus
allows you to overwrite native DOM methods on a thirdparty domain,
broadening the potential attack scope by allowing you to interfere with
the operations of existing script code inside that thirdparty document.

--
Thor Larholm
PolyPath, CSO

[ reply ]
Re: Browser bugs hit IE, Firefox today (SANS) Jul 12 2006 07:52PM
3CO (threecheeseopera gmail com)
Re: Browser bugs hit IE, Firefox today (SANS) Jul 04 2006 11:58PM
Paul Szabo (psz maths usyd edu au)


 

Privacy Statement
Copyright 2010, SecurityFocus