View Bug Activity
Format For Printing
Secunia has reported there is frame injection vulnerability in Mozilla
The test is a bit confusing, so here's the steps to reproduce (tested in Firefox
First test (w/ popup blocking)
1. enable popup blocker
2. open www.citibank.com/us/index.htm in one tab
3. open secunia.com/multiple_browsers_window_injection_vulnerability_test/
in another tab
4. in vulnerability test page, click
"Test Now - With Pop-up Blocker - Left Click On This Link"
5. close the new CitiBank window that opens
6 returns to the CitiBlank tab, and click
2nd test (w/o pop-up blocking)
1. disable popup blocker
2. close the vulnerability test page if you had it opened
"Test Now - Without Pop-up Blocker - Left Click On This Link"
5. in the CitiBlank window, click
Results: CitiBank's popup gets replaced by Secunia content
Created an attachment (id=168202)
testcase 1 - Time-Delayed Popup Replacing Frame of a Different Site (Race
Vulnerability 1 - Popup Racing
When popup blocking is enabled, time-delayed popup (via setTimeout) can replace
another popup opened by another site. This requires that
1. both sites attempt to open popups with the same name
2. the legit, 2nd popup is opened before the first one is detected
(and hence blocked)
Created an attachment (id=168203)
testcase 2 - Event Misfiring (a window can replace another window with the
Vulnerability 2 - Event Misfiring
Opening a named popup causes unonload event of another frame with the same name
to fire, enabling it to replace the content of another popup.
workaround fix for Firefox/Mozilla users added:
This workaround enables Address Bar visible in opened window generated by for
example Secunia's test page (and a fictional malicious Web site).
When dom.disable_window_open_feature.location is set to 'true', the real address
http://secunia.com/ resultpage / [broken with spaces] is showing.
Additional workaround is to install the Tabbrowser Extensions, and configure it
to open popups in new tabs. This has been tested to block the sample code from
Test case 1 above is invalid and the workaround published elsewhere does not
appear to work. The test case does not work in the same way as
To demonstrate, set the dom.disable_window_open_feature.location to 'true', then
try test case 1 above. You'll get the genuine Citibank content in the popup
window, and the popup does not show any location bar.
Then go to http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
and try Step 2 - With Popup Blocker. You'll get the spoofed content this time
and the popup still does not show any location bar.
This is using Firefox 1.0 on WinNT4 SP6a.