Red Hat Bugzilla – Bug 127120
CAN-2004-0718 frame injection (spoofing) vuln in Mozilla before 1.7
Last modified: 2007-11-30 17:10:45 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7)
Description of problem:
There may be a frame injection/spoofing security hole in Mozilla 1.6
and earlier, which could be used to assist in phishing attacks. Note
that there's a thread discussing this on the full-disclosure mailing
list; there seems to be some controversy as to whether this is really
a security hole. Nonetheless, Secunia claims it's fixed in Mozilla
1.7, and I can confirm that, insofar as Secunia's proof-of-concept
successfully changes a frame in mozilla-1.6-8 but not mozilla-1.7-0.3.2.
BTW, the Secunia advisory is here:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Visit the Secunia test site:
2. Follow the directions.
Actual Results: Secunia contents are injected into MSDN site.
Expected Results: MSDN site contents are not replaced with Secunia
One of the full-disclosure threads suggests that the attack may only
be possible if pop-up blocking is disabled. I tested Mozilla 1.7 with
pop-up blocking both enabled and disabled, and I tested Mozilla 1.6
with pop-up blocking disabled, but I have not tested Mozilla 1.6 with
pop-up blocking enabled.
FWIW, the upstream (bugzilla.mozilla.org) bug number for this is 246448:
And this vulnerability is also mentioned on Slashdot:
Blizzard pushed out the errata for this.
Errata was pushed for FC2, but not FC1. (Todd Denniston filed bug
130464 regarding this.)