Bug 127120 - CAN-2004-0718 frame injection (spoofing) vuln in Mozilla before 1.7
Summary: CAN-2004-0718 frame injection (spoofing) vuln in Mozilla before 1.7
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mozilla   
(Show other bugs)
Version: 2
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Christopher Aillon
QA Contact: Ben Levenson
URL: http://secunia.com/multiple_browsers_...
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-07-02 08:05 UTC by Barry K. Nathan
Modified: 2007-11-30 22:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-13 03:55:52 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Barry K. Nathan 2004-07-02 08:05:05 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7)
Gecko/20040701 Firefox/0.9

Description of problem:
There may be a frame injection/spoofing security hole in Mozilla 1.6
and earlier, which could be used to assist in phishing attacks. Note
that there's a thread discussing this on the full-disclosure mailing
list; there seems to be some controversy as to whether this is really
a security hole. Nonetheless, Secunia claims it's fixed in Mozilla
1.7, and I can confirm that, insofar as Secunia's proof-of-concept
successfully changes a frame in mozilla-1.6-8 but not mozilla-1.7-0.3.2.

BTW, the Secunia advisory is here:
http://secunia.com/advisories/11978/


Version-Release number of selected component (if applicable):
mozilla-1.6-8

How reproducible:
Always

Steps to Reproduce:
1. Visit the Secunia test site:
http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/
2. Follow the directions.
    

Actual Results:  Secunia contents are injected into MSDN site.

Expected Results:  MSDN site contents are not replaced with Secunia
contents.

Additional info:

One of the full-disclosure threads suggests that the attack may only
be possible if pop-up blocking is disabled. I tested Mozilla 1.7 with
pop-up blocking both enabled and disabled, and I tested Mozilla 1.6
with pop-up blocking disabled, but I have not tested Mozilla 1.6 with
pop-up blocking enabled.

Comment 3 Barry K. Nathan 2004-07-03 06:28:16 UTC
FWIW, the upstream (bugzilla.mozilla.org) bug number for this is 246448:
http://bugzilla.mozilla.org/show_bug.cgi?id=246448


Comment 4 Barry K. Nathan 2004-07-03 06:30:36 UTC
And this vulnerability is also mentioned on Slashdot:
http://developers.slashdot.org/article.pl?sid=04/07/01/1741243


Comment 7 Christopher Aillon 2004-08-13 03:55:52 UTC
Blizzard pushed out the errata for this.  

Comment 8 Barry K. Nathan 2004-08-26 11:19:00 UTC
Errata was pushed for FC2, but not FC1. (Todd Denniston filed bug
130464 regarding this.)


Note You need to log in before you can comment on or make changes to this bug.