Cross-site scripting hole in Firefox
Michal Zalewski has discovered a hole in Firefox 2 that allows attackers to conduct cross-site scripting attacks. The flaw probably also affects older versions. The location.hostname feature in the Open Source browser's Document Object Model (DOM) does not work with null-terminated strings. As a result, badsite.com would appear as a subdomain of www.example.com under badsite.com\x00www.example.com to Firefox; because of the NULL-terminated string, the DNS entry turns into badsite.com.
Attackers can then steal or manipulate cookies from www.example.com. In addition, attackers can manipulate the document.domain property to get access to other frames. Zalewski has created a website to demonstrate this vulnerability. Developers are discussing the hole in an entry in the Bugzilla system. There, we read that the attack does not work if users add the following to the configuration file:
No patch has yet been provided as a software update, but the developers plan to release version 18.104.22.168 soon. However, they have not yet remedied the flaw in the current developer version 22.214.171.124 RC2.
- Firefox: serious cookie stealing / same-domain bypass vulnerability, Michal Zalewski's security advisory
- Zalewski's demonstration of the security hole
- Entry in Mozilla's Bugzilla system