Re: New possible scam method : forged websites using XUL (Firefox)

From: Peter J. Holzer (hjp_at_wsr.ac.at)
Date: 08/02/04

  • Next message: 3APA3A: "Re[2]: Aladdin response regarding eSafe"
    Date: Mon, 2 Aug 2004 11:59:17 +0200
    To: bugtraq@securityfocus.com
    
    
    

    On 2004-07-31 12:15:46 +0100, Marc wrote:
    > The latest version of Firefox is 0.9.2.
    >
    > > The developers of Mozilla are currently looking into various
    > > methods to make a fake user interface more obvious. The most
    > > likely solution will be to force the status bar to always be
    > > visible, as Microsoft will do with IE6 SP2.
    >
    > This appears to be the case with 0.9.2.
    > The spoofed PayPal site (from
    > http://www.nd.edu/~jsmith30/xul/test/spoof.html) cannot hide FireFox's
    > status bar - so you get 2 status bars displayed.

    On my system (Linux with fvwm2 window manager) the window has just the
    right size to show the fake status bar but hide the real status bar. The
    missing bottom window border is the only indication that there may be
    something wrong (and that's not a big indication, since windows that
    don't fit entirely on the screen aren't that uncommon).

    A quote from <URL:http://bugzilla.mozilla.org/show_bug.cgi?id=22183#c77>:

    | Anyway, we already put a dark inset border around untrusted chrome, we
    | already say [Javascript Application] on alerts, we already allow the
    | user to disable the disabling of the status bar, and so forth. Without
    | making ourselves the laughing stock of the Web browser implementer
    | community, there is little more we can do.

    It looks like firefox doesn't "put a dark inset border around untrusted
    chrome". Is there a similar exploit for Mozilla 1.7, to see whetehr that
    border would be noticable (the URLs in the bug don't work).

    Anyway, there are a few more things that Mozilla (suite or firefox)
    could do:

    * allow user to disable hiding of chrome (like disabling popups, etc.)

    * add a UI to the "allow javascript only from trusted sites" feature.
      (few people know that mozilla can do that, and even for those, editing
      user.js is tedious).

            hp

    -- 
       _  | Peter J. Holzer      | Shooting the users in the foot is bad. 
    |_|_) | Sysadmin WSR / LUGA  | Giving them a gun isn't.
    | |   | hjp@wsr.ac.at        |	-- Gordon Schumacher,
    __/   | http://www.hjp.at/   |     mozilla bug #84128
    
    



  • Next message: 3APA3A: "Re[2]: Aladdin response regarding eSafe"

    Relevant Pages

    • [Full-disclosure] [ MDVSA-2009:338 ] firefox
      ... Security issues were identified and fixed in firefox 3.5.x: ... in Mozilla Firefox 3.5 before 3.5.6 and SeaMonkey before 2.0.1, ... and Thunderbird allow remote attackers to cause a denial of service ...
      (Full-Disclosure)
    • Re: Mozilla VS Fire Fox, was ( Rip Calvin The Dog 1995-2005)
      ... Firefox extensions are built with XUL, a XML User interface markup Language which makes it relatively easy for people with a background in web programming and design to create extensions. ... The idea actually started with Mozilla, but it was greatly expanded and enhanced with Firefox. ...
      (alt.gathering.rainbow)
    • [ MDVSA-2009:338 ] firefox
      ... Security issues were identified and fixed in firefox 3.5.x: ... in Mozilla Firefox 3.5 before 3.5.6 and SeaMonkey before 2.0.1, ... and Thunderbird allow remote attackers to cause a denial of service ...
      (Bugtraq)
    • [Full-disclosure] [ GLSA 200805-18 ] Mozilla products: Multiple vulnerabilities
      ... Multiple vulnerabilities have been reported in Mozilla Firefox, ... Mozilla Firefox is an open-source web browser and Mozilla Thunderbird ... SeaMonkey project is a community effort to deliver production-quality ...
      (Full-Disclosure)
    • [ GLSA 200805-18 ] Mozilla products: Multiple vulnerabilities
      ... Multiple vulnerabilities have been reported in Mozilla Firefox, ... Mozilla Firefox is an open-source web browser and Mozilla Thunderbird ... SeaMonkey project is a community effort to deliver production-quality ...
      (Bugtraq)