SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#262350

Mozilla status elements can be disabled via JavaScript

Overview

Mozilla allows websites to disable various browser status elements. This allows websites to create spoofed dialogs using XUL.

I. Description

Certain Mozilla web browser status elements, such as the address bar, status bar, and navigation controls, can be disabled remotely by web sites using JavaScript. Consequently, attackers can design malicious web sites that disable these native elements and, using XUL, recreate pages that look like native Mozilla dialogs and windows. (XUL is Mozilla's XML-based user interface. It allows for the development of cross-platform applications.)

II. Impact

An attacker could convince a user that they were viewing a native Mozilla dialog, when in fact they are visiting a page created by the attacker. The attacker could use additional social engineering techniques to trick the victim into disclosing sensitive information such as credit card numbers, account numbers, and passwords. The attacker could also spoof pop-up windows that do not display the address bar.

III. Solution

Disable the ability to hide status items

By performing the following steps, it is possible to prevent JavaScript from disabling status elements. This will make XUL-created pages appear distinct from native Mozilla dialogs.

    1. Enter "about:config" in Mozilla's address bar. This will display Mozilla's configuration values.
    2. Set the following values to true:


    dom.disable_window_open_feature.titlebar
    dom.disable_window_open_feature.close
    dom.disable_window_open_feature.toolbar
    dom.disable_window_open_feature.location
    dom.disable_window_open_feature.directories
    dom.disable_window_open_feature.personalbar
    dom.disable_window_open_feature.menubar
    dom.disable_window_open_feature.scrollbars
    dom.disable_window_open_feature.resizable
    dom.disable_window_open_feature.minimizable
    dom.disable_window_open_feature.status
These preferences can also be set via the user.js file.

Systems Affected
VendorStatusDate NotifiedDate Updated
MozillaUnknown16-Dec-2004

References


http://secunia.com/advisories/12188/
http://www.securityfocus.com/bid/10832
http://xforce.iss.net/xforce/xfdb/16837
https://bugzilla.mozilla.org/show_bug.cgi?id=176304
http://bugzilla.mozilla.org/show_bug.cgi?id=244965
http://bugzilla.mozilla.org/show_bug.cgi?id=22183

Credit

This vulnerability was reported by David Ahmad. The workaround was provided by Asa Dotzler.

This document was written by Will Dormann.

Other Information

Date Public:2004-07-30
Date First Published:2004-12-17
Date Last Updated:2004-12-22
CERT Advisory: 
CVE-ID(s):CAN-2004-0764
NVD-ID(s):CAN-2004-0764
US-CERT Technical Alerts: 
Metric:1.04
Document Revision:17

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader