Firetabbing [Firefox 1.0]

From: mikx (mikx_at_MIKX.DE)
Date: 02/07/05

  • Next message: Marc Maiffret: "EEYE: Windows SMB Client Transaction Response Handling Vulnerability" 
    Date:         Mon, 7 Feb 2005 18:50:23 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    __Summary

    The javascript security manager usually prevents that a javascript: URL from
    one host is opened in a window displaying content from another host. But
    when the link is dropped to a tab, the security manager does not kick in.

    This can lead to several security problems scaling from stealing session
    cookies to the ability to run arbitrary code on the client system (depending
    on the displayed site or security setttings).

    Tabbed browsing is a great feature to organize mutliple website, but after a
    while also tabs become too much. Now you have two options: Close tabs and
    open new ones (CTRL+W to close a tab, followed by a CTRL+click on a link to
    open a new one), or just recycle already open tabs by dragging links to
    them - the solution i prefer.

    __Proof-of-Concept

    http://www.mikx.de/firetabbing/

    __Status

    The bug is marked as fixed in bugzilla. Get a nightly build, compile on your
    own or wait for Firefox 1.0.1.

    2005-01-27 Vendor informed (bugzilla.mozilla.org #280056)
    2005-01-28 Vendor confirmed bug
    2005-02-05 Vendor fixed bug
    2005-02-07 Public disclosure

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2005-0231 to this issue.

    __Affected Software

    Tested with Firefox 1.0 and Mozilla 1.7.5

    __Contact Informations

    Michael Krax <mikx@mikx.de>
    http://www.mikx.de/?p=9

    mikx 

    --
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
  • Next message: Marc Maiffret: "EEYE: Windows SMB Client Transaction Response Handling Vulnerability"

    Relevant Pages

    • Firetabbing [Firefox 1.0]
      ... The javascript security manager usually prevents that a javascript: ... one host is opened in a window displaying content from another host. ... while also tabs become too much. ...
      (Bugtraq)
    • [Full-Disclosure] Firetabbing [Firefox 1.0]
      ... The javascript security manager usually prevents that a javascript: ... one host is opened in a window displaying content from another host. ... while also tabs become too much. ...
      (Full-Disclosure)
    • Firetabbing [Firefox 1.0]
      ... The javascript security manager usually prevents that a javascript: ... one host is opened in a window displaying content from another host. ... while also tabs become too much. ...
      (Full-Disclosure)