> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of Michal Zalewski
> Sent: Monday, June 04, 2007 3:03 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] Assorted browser vulnerabilities
>
> Hello,
>
> Will keep it brief. A couple of browser bugs, fresh from the
> oven, hand
> crafted with love:
>
> 1) Title : MSIE page update race condition (CRITICAL)
> Impact : cookie stealing / setting, page hijacking,
> memory corruption
> Demo :
>
> ...aka the bait & switch vulnerability.
>
> When Javascript code instructs MSIE6/7 to navigate away from a page
> that meets same-domain origin policy (and hence can be scriptually
> accessed and modified by the attacker) to an unrelated third-party
> site, there is a window of opportunity for concurrently executed
> Javascript to perform actions with the permissions for the
> old page,
> but actual content for the newly loaded page, for example:
>
> - Read or set victim.document.cookie,
>
> - Arbitrarily alter document DOM, including changing
> form submission
> URLs, injecting code,
>
> - Read or write DOM structures that were not fully initialized,
> prompting memory corruption and browser crash.
>
> This is tested on MSIE6 and MSIE7, fully patched.
>
> 2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
> Impact : keyboard snooping, content spoofing, etc
> Demo :
> Bugzilla :
> [May 30]
>
> Javascript can be used to inject malicious code, including
> key-snooping
> event handlers, on pages that rely on IFRAMEs to display
> contents or
> store state data / communicate with the server.
>
> This is related to a less severe variant independently reported by
> Ronen Zilberman two weeks earlier (bug 381300).
>
> 3) Title : Firefox file prompt delay bypass (MEDIUM)
> Impact : non-consentual download or execution of files
> Demo :
> Bugzilla :
> [Apr 04]
>
> A sequence of blur/focus operations can be used to bypass
> delay timers
> implemented on certain Firefox confirmation dialogs,
> possibly enabling
> the attacker to download or run files without user's knowledge or
> consent.
>
> 3) Title : MSIE6 URL bar spoofing (MEDIUM)
> Impact : mimicking an arbitrary site, possibly including SSL data
> Demo :
>
> MSIE6 vulnerability, similar but unrelated to my earlier onUnload
> entrapment flaw, allows sites to spoof URL bar data.
>
> MSIE7 is not affected because of certain high-level changes in the
> browser.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> Hosted and sponsored by Secunia -
>
