[Kazehakase-devel 2931] Re: CVE-2007-1084 bookmarklets cross-site info disclosure

Zurück zum Archiv-Index

Mamoru Tasaka mtasa****@ioa*****
2009年 11月 15日 (日) 22:21:20 JST


Hello:

Yavor Doganov wrote, at 11/15/2009 07:03 PM +9:00:
> Greetings,
> 
> The following security bug was reported to Debian against the
> kazehakase package:
> 
> CVE-2007-1084[0]:
> | Mozilla Firefox 2.0.0.1 and earlier does not prompt users before
> | saving bookmarklets, which allows remote attackers to bypass the
> | same-domain policy by tricking a user into saving a bookmarklet with a
> | data: scheme, which is executed in the context of the last visited web
> | page.
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1084
> 
> More information and a reproducible test case are available at
> http://lcamtuf.coredump.cx/ffbook/.
> 
> I propose the attached patch.

Well, while I don't know well about javascript and CVE-2007-1084,
however:
- what is the reasonale for disabling to bookmark uri beginning with
  "data:"? I have Fedora 12 i686 system and even with firefox 3.5.5
  I can bookmark such uri (i.e. uri beginning with data:)
- And moreover, even with firefox 3.5.5 / xulrunner 1.9.1.5
  I can see "EXPLOITATION SUCCESSFUL" message although I don't know
  what the exact exploitation is.
So would you explain more in details?

Regards,
Mamoru




Kazehakase-devel メーリングリストの案内
Zurück zum Archiv-Index