Red Hat Bugzilla – Bug 127120
CAN-2004-0718 frame injection (spoofing) vuln in Mozilla before 1.7
Last modified: 2007-11-30 17:10:45 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7) Gecko/20040701 Firefox/0.9 Description of problem: There may be a frame injection/spoofing security hole in Mozilla 1.6 and earlier, which could be used to assist in phishing attacks. Note that there's a thread discussing this on the full-disclosure mailing list; there seems to be some controversy as to whether this is really a security hole. Nonetheless, Secunia claims it's fixed in Mozilla 1.7, and I can confirm that, insofar as Secunia's proof-of-concept successfully changes a frame in mozilla-1.6-8 but not mozilla-1.7-0.3.2. BTW, the Secunia advisory is here: http://secunia.com/advisories/11978/ Version-Release number of selected component (if applicable): mozilla-1.6-8 How reproducible: Always Steps to Reproduce: 1. Visit the Secunia test site: http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/ 2. Follow the directions. Actual Results: Secunia contents are injected into MSDN site. Expected Results: MSDN site contents are not replaced with Secunia contents. Additional info: One of the full-disclosure threads suggests that the attack may only be possible if pop-up blocking is disabled. I tested Mozilla 1.7 with pop-up blocking both enabled and disabled, and I tested Mozilla 1.6 with pop-up blocking disabled, but I have not tested Mozilla 1.6 with pop-up blocking enabled.
FWIW, the upstream (bugzilla.mozilla.org) bug number for this is 246448: http://bugzilla.mozilla.org/show_bug.cgi?id=246448
And this vulnerability is also mentioned on Slashdot: http://developers.slashdot.org/article.pl?sid=04/07/01/1741243
Blizzard pushed out the errata for this.
Errata was pushed for FC2, but not FC1. (Todd Denniston filed bug 130464 regarding this.)