Fireflashing [Firefox 1.0]

From: mikx (mikx_at_MIKX.DE)
Date: 02/07/05

  • Next message: mikx: "Firetabbing [Firefox 1.0]" 
    Date:         Mon, 7 Feb 2005 18:52:12 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    __Summary

    Using plugins like Flash and the -moz-opacity filter it is possible to
    display the about:config site in a hidden frame or a new window.

    By making the user double-click at a specific screen position (e.g. using a
    DHTML game) you can silently toggle the status of boolean config parameters.

    As long as the number of about:config parameters is unchanged (unlikely a
    casual user will change them) you can move the parameter you want to the
    specified screen position by using CSS.

    You can also load about:config using the real player plugin and merged url
    events. See the real producer documentation for details and merge a command
    like "u 0:0:0:0.0 0:0:0:30.0 &&targetframe&&about:config"

    __Proof-of-Concept

    http://www.mikx.de/fireflashing/

    __Status

    The bug is marked as fixed in bugzilla. Get a nightly build, compile on your
    own or wait for Firefox 1.0.1.

    2005-02-01 Vendor informed (bugzilla.mozilla.org #280664)
    2005-02-01 Vendor confirmed bug
    2005-02-04 Vendor fixed bug
    2005-02-07 Public disclosure

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2005-0232 to this issue.

    __Affected Software

    Tested with Firefox 1.0 and Mozilla 1.7.5

    __Contact Informations

    Michael Krax <mikx@mikx.de>
    http://www.mikx.de/?p=10

    mikx 

    --
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
  • Next message: mikx: "Firetabbing [Firefox 1.0]"

    Relevant Pages

    • [Full-Disclosure] Fireflashing [Firefox 1.0]
      ... Using plugins like Flash and the -moz-opacity filter it is possible to ... The bug is marked as fixed in bugzilla. ... 2005-02-01 Vendor confirmed bug ... Tested with Firefox 1.0 and Mozilla 1.7.5 ...
      (Full-Disclosure)
    • Fireflashing [Firefox 1.0]
      ... Using plugins like Flash and the -moz-opacity filter it is possible to ... The bug is marked as fixed in bugzilla. ... 2005-02-01 Vendor confirmed bug ... Tested with Firefox 1.0 and Mozilla 1.7.5 ...
      (Bugtraq)
    • Fireflashing [Firefox 1.0]
      ... Using plugins like Flash and the -moz-opacity filter it is possible to ... The bug is marked as fixed in bugzilla. ... 2005-02-01 Vendor confirmed bug ... Tested with Firefox 1.0 and Mozilla 1.7.5 ...
      (Full-Disclosure)
    • Firescrolling 2 [Firefox 1.0.1]
      ... hidden frame) the ability to hijack a drag and drop operation and open a ... The bug is fixed in Firefox 1.0.2. ... 2005-03-11 Vendor confirmed bug ...
      (NT-Bugtraq)
    • Re: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
      ... >bugzilla entry on bugzilla.mozilla.org which is the best place for bug ... This inconsistency can make it difficult for vulnerability reporters ... to contact the vendor, and some reporters feel forced to publicly ...
      (NT-Bugtraq)