|
|
Reported by Liu Die Yu
Mozilla, Netscape and possibly other browsers derived from Mozilla have been
found vulnerable to a race condition, which allows malicious sites to bypass the
security zone.
The problem is that Mozilla does not eliminate any active
scripts, when a user clicks on a link and a new page is being loaded. This
allows the previous site to launch a JavaScript, which is able to steal cookie
information from the new site and return it to the previous site.
This has only been confirmed on Microsoft Windows systems (Windows
Server 2003, Windows XP Pro and Windows 2000 Professional). Initial tests
indicate that Linux systems are not vulnerable.
Specific versions proved
vulnerable are Netscape 7.0, Mozilla 1.3 and Mozilla 1.4a.
To test you
browser Liu Die Yu has made a live example/exploit - see the "Other References"
section. |
|
Solution:
There is no immidiate solution.
We
recommend that you do not follow links from untrusted sites to sites that you
exchange sensitive information with. Use a different browser window to access
trusted sites or simply use another browser. |
|
Reported by / credits:
Liu Die Yu |
|
Original Advisory:
http://liudieyuinchina.vip.sina.com/EdgeLink/EdgeLink-Content.txt |
|
Other References:
Here is an example of how to exploit
this:
http://liudieyuinchina.vip.sina.com/EdgeLink/EdgeLink-MyPage.htm |
Source of advisory: Secunia
|
|
|
 |
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 0
Votes: 0
|
|
|
