[Full-Disclosure] Fireflashing [Firefox 1.0]

From: mikx (mikx_at_mikx.de)
Date: 02/07/05

  • Next message: mikx: "[Full-Disclosure] Firedragging [Firefox 1.0]"
    To: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>, <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
    Date: Mon, 7 Feb 2005 18:52:12 +0100
    
    

    __Summary

    Using plugins like Flash and the -moz-opacity filter it is possible to
    display the about:config site in a hidden frame or a new window.

    By making the user double-click at a specific screen position (e.g. using a
    DHTML game) you can silently toggle the status of boolean config parameters.

    As long as the number of about:config parameters is unchanged (unlikely a
    casual user will change them) you can move the parameter you want to the
    specified screen position by using CSS.

    You can also load about:config using the real player plugin and merged url
    events. See the real producer documentation for details and merge a command
    like "u 0:0:0:0.0 0:0:0:30.0 &&targetframe&&about:config"

    __Proof-of-Concept

    http://www.mikx.de/fireflashing/

    __Status

    The bug is marked as fixed in bugzilla. Get a nightly build, compile on your
    own or wait for Firefox 1.0.1.

    2005-02-01 Vendor informed (bugzilla.mozilla.org #280664)
    2005-02-01 Vendor confirmed bug
    2005-02-04 Vendor fixed bug
    2005-02-07 Public disclosure

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2005-0232 to this issue.

    __Affected Software

    Tested with Firefox 1.0 and Mozilla 1.7.5

    __Contact Informations

    Michael Krax <mikx@mikx.de>
    http://www.mikx.de/?p=10

    mikx

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: mikx: "[Full-Disclosure] Firedragging [Firefox 1.0]"