In association with heise online

15 February 2007, 12:07

Cross-site scripting hole in Firefox

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Michal Zalewski has discovered a hole in Firefox 2 that allows attackers to conduct cross-site scripting attacks. The flaw probably also affects older versions. The location.hostname feature in the Open Source browser's Document Object Model (DOM) does not work with null-terminated strings. As a result, would appear as a subdomain of under\ to Firefox; because of the NULL-terminated string, the DNS entry turns into

Attackers can then steal or manipulate cookies from In addition, attackers can manipulate the document.domain property to get access to other frames. Zalewski has created a website to demonstrate this vulnerability. Developers are discussing the hole in an entry in the Bugzilla system. There, we read that the attack does not work if users add the following to the configuration file:

user_pref("capability.policy.default.Location.hostname.set", "noAccess");

No patch has yet been provided as a software update, but the developers plan to release version soon. However, they have not yet remedied the flaw in the current developer version RC2.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit