Mozilla uses a same origin security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. From the same origin policy:
Mozilla considers two pages to have the same origin if the protocol, port (if given), and host are the same for both pages.
This URI will display an alert dialog with the contents of the HTTP cookie for the current site:
The same origin security model should not allow script from one domain to read or modify data in a different domain using this type of "script URI".
By convincing a victim to view an HTML document (web page), an attacker could evaluate script in a different security domain than the one containing the attacker's document. The attacker could read or modify data in other web sites (read cookies/content, modify/create content, etc.). If the script is evaluated with chrome privileges, an attacker could execute arbitrary commands on the user's system. VU#648758 describes one way to execute script with chrome privileges. However, due to recent changes made to the addons.mozilla.org and update.mozilla.org sites, the current proof-of-concept code that utilizes VU#648758 no longer functions properly.
This vulnerability was reported by Paul of Greyhats and Michael Krax. Thanks to Daniel Veditz of the Mozilla Foundation for discussing the vulnerability.
This document was written by Will Dormann.
|Date First Published:||2005-05-10|
|Date Last Updated:||2005-08-09 16:07 UTC|