Re: Browser bugs hit IE, Firefox today (SANS)

[Thor Larholm <thor () polypath com>]

Alex Potter wrote:

> http://isc.sans.org/diary.php?storyid=1448 - update says 
>
> "After doing more research on this vulnerability and with great help from our 
> readers (thanks to Dan and another reader) it seems that Mozilla Firefox is 
> not affected by this vulnerability."
>  
Firefox might not be directly affected by this vulnerability, but it 
does remind me of inconsistencies in how the security context of an 
object is handled inside Firefox.

Ordinarily, when you have a window object containing a document from a 
thirdparty domain, such as <iframe id="thirdparty" 
src="http://google.com";></iframe>, you are not allowed to reference any 
kind of objects inside this window. Using a DOM 0 approach, 
window.frames[0].contentDocument will give you a security exception. 
However, reading the contentDocument property of the DOM element instead 
of the through the frames collection will give you a reference to the 
document object inside the thirdparty domain and even allow you to 
overwrite native DOM methods without throwing a security exception, such 
as 
document.getElementById("thirdparty").contentDocument.getElementById=function(s){alert(s)}. 
This also holds true for window.frames[0].document.getElementsByTagName 
and any other methods on the document object.

Functionally, the document and contentDocument properties both reference 
the same object and should obey the same security context rules, however 
Firefox differentiates based on how you reference that object and thus 
allows you to overwrite native DOM methods on a thirdparty domain, 
broadening the potential attack scope by allowing you to interfere with 
the operations of existing script code inside that thirdparty document.

--
Thor Larholm
PolyPath, CSO