Bugzilla Version 2.17.6
Bugzilla Bug 273699
  2 Frame Injection Vulnerabilities (popup blocking race condition & onunload event mis-firing) [Secunia Advisory SA13129] Last modified: 2004-12-08 21:53 PDT
     Query page      Enter new bug
Bug#: 273699   Hardware:   Reporter: Daniel Wang <daniel.bugmail@wangrepublic.org>
Product:   OS:   Add CC:
Component:   Version:   CC:
Remove selected CCs
Status: NEW   Priority:  
Resolution:   Severity:  
Assigned To: Mozilla Security Bugs <security@mozilla.org>   Target Milestone:  
QA Contact:
Flags: (Help!) Requestee:
Status Whiteboard:

Attachment Type Created Flags Actions
testcase 1 - Time-Delayed Popup Replacing Frame of a Different Site (Race Condition) text/html 2004-12-08 03:45 PDT none Edit
testcase 2 - Event Misfiring (a window can replace another window with the same name) text/html 2004-12-08 04:04 PDT none Edit
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 273699 depends on: Show dependency tree
Show dependency graph
Bug 273699 blocks:
Votes: 9    Show votes for this bug    Vote for this bug

Additional Comments:

Leave as NEW 
Accept bug (change status to ASSIGNED)
Resolve bug, changing resolution to
Resolve bug, mark it as duplicate of bug #
Reassign bug to
Reassign bug to owner and QA contact of selected component

View Bug Activity   |   Format For Printing

Description:   Opened: 2004-12-08 03:24 PDT
Secunia has reported there is frame injection vulnerability in Mozilla
The test is a bit confusing, so here's the steps to reproduce (tested in Firefox

First test (w/ popup blocking)
1. enable popup blocker
2. open www.citibank.com/us/index.htm in one tab
3. open secunia.com/multiple_browsers_window_injection_vulnerability_test/
   in another tab
4. in vulnerability test page, click
    "Test Now - With Pop-up Blocker - Left Click On This Link"
5. close the new CitiBank window that opens
6  returns to the CitiBlank tab, and click
    [(!)Consumer Alert]

2nd test (w/o pop-up blocking)
1. disable popup blocker
2. close the vulnerability test page if you had it opened
3. open
4. click
   "Test Now - Without Pop-up Blocker - Left Click On This Link"
5. in the CitiBlank window, click
   [(!)Consumer Alert]

Results: CitiBank's popup gets replaced by Secunia content

------- Additional Comment #1 From Daniel Wang 2004-12-08 03:45 PDT -------
Created an attachment (id=168202)
testcase 1 - Time-Delayed Popup Replacing Frame of a Different Site (Race

Vulnerability 1 - Popup Racing

When popup blocking is enabled, time-delayed popup (via setTimeout) can replace
another popup opened by another site. This requires that
1. both sites attempt to open popups with the same name
2. the legit, 2nd popup is opened before the first one is detected
   (and hence blocked)

------- Additional Comment #2 From Daniel Wang 2004-12-08 04:04 PDT -------
Created an attachment (id=168203)
testcase 2 - Event Misfiring  (a window can replace another window with the
same name)

Vulnerability 2 - Event Misfiring

Opening a named popup causes unonload event of another frame with the same name
to fire, enabling it to replace the content of another popup.

------- Additional Comment #3 From Daniel Wang 2004-12-08 06:40 PDT -------
workaround fix for Firefox/Mozilla users added:

------- Additional Comment #4 From Juha-Matti Laurio 2004-12-08 13:41 PDT -------
This workaround enables Address Bar visible in opened window generated by for
example Secunia's test page (and a fictional malicious Web site).
When dom.disable_window_open_feature.location is set to 'true', the real address
http://secunia.com/ resultpage / [broken with spaces] is showing.

------- Additional Comment #5 From sadlittleboy@gmail.com 2004-12-08 21:50 PDT -------
Additional workaround is to install the Tabbrowser Extensions, and configure it
to open popups in new tabs.   This has been tested to block the sample code from

------- Additional Comment #6 From qazwsxedc@gmx.net 2004-12-08 21:53 PDT -------
Test case 1 above is invalid and the workaround published elsewhere does not
appear to work.  The test case does not work in the same way as

To demonstrate, set the dom.disable_window_open_feature.location to 'true', then
try test case 1 above.  You'll get the genuine Citibank content in the popup
window, and the popup does not show any location bar.

Then go to http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
and try Step 2 - With Popup Blocker.  You'll get the spoofed content this time
and the popup still does not show any location bar.

This is using Firefox 1.0 on WinNT4 SP6a.

     Query page      Enter new bug
Actions: New | Search | bug # | Reports | Requests   New Account | Log In