FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Mozilla / Firefox user interface spoofing vulnerability

Affected packages
firefox <= 0.9.1_1
linux-mozilla <= 1.7.1
linux-mozilla-devel <= 1.7.1
mozilla <= 1.7.1,2
1.8.a,2 <= mozilla <= 1.8.a2,2
mozilla-gtk1 <= 1.7.1_1

Details

VuXML ID 730db824-e216-11d8-9b0a-000347a4fa7d
Discovery 2004-07-19
Entry 2004-07-30
Modified 2004-08-15

The Mozilla project's family of browsers contain a design flaw that can allow a website to spoof almost perfectly any part of the Mozilla user interface, including spoofing web sites for phishing or internal elements such as the "Master Password" dialog box. This achieved by manipulating "chrome" through remote XUL content. Recent versions of Mozilla have been fixed to not allow untrusted documents to utilize "chrome" in this way.

References

Bugtraq ID 10832
CVE Name CVE-2004-0764
URL http://bugzilla.mozilla.org/show_bug.cgi?id=22183
URL http://bugzilla.mozilla.org/show_bug.cgi?id=244965
URL http://bugzilla.mozilla.org/show_bug.cgi?id=252198
URL http://secunia.com/advisories/12188
URL http://www.nd.edu/~jsmith30/xul/test/spoof.html

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.