Full Disclosure mailing list archives
Re: Firefox 2.0.0.6 Remote Variable Leakage vulnerability
From: Joseph Hick <leet16y () yahoo com>
Date: Mon, 13 Aug 2007 22:13:08 -0700 (PDT)
Any sensitive data being leaked? A browser giving away its properties to a script should not be termed vulnerability. Is it causing any of these... 1.) Loss of confidentiality 2.) Loss of integrity 3.) Loss of availability --- carl hardwick <hardwick.carl () gmail com> wrote:
Firefox Remote Variable Leakage It is possible to read all variables that are set inside Firefox. That's right: ALL variables and registered objects that are present inside Javascript files and on runtime. It's even possible to call certain functions. That ranges from local Mozilla config files to all extensions registered inside Firefox. The example below will show you a list of a couple variables that were set. Note: it is possible to actively scan variables and hijack them when you need to. I've tested this against my own Firefox extension called: Fire Encrypter. And I was able to steal a dynamically generated password successfully. PoC here: http://www.0x000000.com/hacks/firefox/variables.html _______________________________________________ Full-Disclosure - We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Firefox 2.0.0.6 Remote Variable Leakage vulnerability carl hardwick (Aug 12)
- Re: Firefox 2.0.0.6 Remote Variable Leakage vulnerability Michal Zalewski (Aug 13)
- Re: Firefox 2.0.0.6 Remote Variable Leakage vulnerability Joseph Hick (Aug 13)
- Re: Firefox 2.0.0.6 Remote Variable Leakage vulnerability Steven (Aug 14)