URL spoofing bug involving Firefox's error pages and document.write

2009.08.04
Risk: Low
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: Partial

Application: Firefox 3.0.11 OS: Windows XP - SP3 ------------------------------------------------------ 1 - Description 2 - Vulnerability 3 - POC/EXPLOIT ------------------------------------------------------ Description This software is a popular web browser that supports multiple platforms as (windows,linux,macos). ------------------------------------------------------ Vulnerability The bug is caused when you try to open a url with a invalid char, in this time, you can edit the error page, and make a "spoof". This not would be important because when you make the spoof the "invalid web" is loading all time, but as firefox allow that you call the "stop" method of other page you can stop this. The result of this is a fake page. ------------------------------------------------------ POC/EXPLOIT The poc is a simple script that have a window.open(), it calls the url with invalid char, the invalid char can be a "," or "%" is important that you add some "%20" for display a "white space" in the url. http://es.geocities.com/jplopezy/firefoxspoofing.html PD : I send this to bugzilla ------------------------------------------------------ Juan Pablo Lopez Yacubian

References:

https://bugzilla.mozilla.org/show_bug.cgi?id=451898
http://www.vupen.com/english/advisories/2009/2006
http://www.securityfocus.com/archive/1/505242/30/0/threaded
http://secunia.com/advisories/36001
http://blog.mozilla.com/security/2009/07/28/url-bar-spoofing-vulnerability/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top