View Bug Activity | Format For Printing
Secunia has reported there is frame injection vulnerability in Mozilla The test is a bit confusing, so here's the steps to reproduce (tested in Firefox 1.0) First test (w/ popup blocking) 1. enable popup blocker 2. open www.citibank.com/us/index.htm in one tab 3. open secunia.com/multiple_browsers_window_injection_vulnerability_test/ in another tab 4. in vulnerability test page, click "Test Now - With Pop-up Blocker - Left Click On This Link" 5. close the new CitiBank window that opens 6 returns to the CitiBlank tab, and click [(!)Consumer Alert] 2nd test (w/o pop-up blocking) 1. disable popup blocker 2. close the vulnerability test page if you had it opened 3. open secunia.com/multiple_browsers_window_injection_vulnerability_test/ 4. click "Test Now - Without Pop-up Blocker - Left Click On This Link" 5. in the CitiBlank window, click [(!)Consumer Alert] Results: CitiBank's popup gets replaced by Secunia content
Created an attachment (id=168202) testcase 1 - Time-Delayed Popup Replacing Frame of a Different Site (Race Condition) Vulnerability 1 - Popup Racing When popup blocking is enabled, time-delayed popup (via setTimeout) can replace another popup opened by another site. This requires that 1. both sites attempt to open popups with the same name 2. the legit, 2nd popup is opened before the first one is detected (and hence blocked)
Created an attachment (id=168203) testcase 2 - Event Misfiring (a window can replace another window with the same name) Vulnerability 2 - Event Misfiring Opening a named popup causes unonload event of another frame with the same name to fire, enabling it to replace the content of another popup.
workaround fix for Firefox/Mozilla users added: http://mozillanews.org/?article_date=2004-12-08+06-48-46
This workaround enables Address Bar visible in opened window generated by for example Secunia's test page (and a fictional malicious Web site). When dom.disable_window_open_feature.location is set to 'true', the real address http://secunia.com/ resultpage / [broken with spaces] is showing.
Additional workaround is to install the Tabbrowser Extensions, and configure it to open popups in new tabs. This has been tested to block the sample code from Secunia.
Test case 1 above is invalid and the workaround published elsewhere does not appear to work. The test case does not work in the same way as http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ To demonstrate, set the dom.disable_window_open_feature.location to 'true', then try test case 1 above. You'll get the genuine Citibank content in the popup window, and the popup does not show any location bar. Then go to http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ and try Step 2 - With Popup Blocker. You'll get the spoofed content this time and the popup still does not show any location bar. This is using Firefox 1.0 on WinNT4 SP6a.
