FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

web browsers -- window injection vulnerabilities

Affected packages
firefox < 1.0.1,1
mozilla < 1.7.6,2
linux-mozilla < 1.7.6
linux-mozilla-devel < 1.7.6
0 <= de-linux-mozillafirebird
0 <= de-netscape7
0 <= el-linux-mozillafirebird
0 <= fr-netscape7
0 <= ja-linux-mozillafirebird-gtk1
0 <= ja-mozillafirebird-gtk2
0 <= ja-netscape7
0 <= linux-mozillafirebird
0 <= mozilla-gtk1
0 <= netscape7
0 <= pt_BR-netscape7
0 <= ru-linux-mozillafirebird
0 <= zhCN-linux-mozillafirebird
0 <= zhTW-linux-mozillafirebird
0 <= de-linux-netscape
0 <= fr-linux-netscape
0 <= ja-linux-netscape
0 <= linux-netscape
0 <= linux-phoenix
0 <= mozilla+ipv6
0 <= mozilla-embedded
0 <= mozilla-firebird
0 <= mozilla-gtk
0 <= mozilla-gtk2
0 <= mozilla-thunderbird
0 <= phoenix
kdebase < 3.3.2
kdelibs < 3.3.2
linux-opera < 7.54.20050131
opera < 7.54.20050131
opera-devel < 7.54.20050131

Details

VuXML ID b0911985-6e2a-11d9-9557-000a95bc6fae
Discovery 2004-12-08
Entry 2005-01-24
Modified 2005-02-26

A Secunia Research advisory reports:

Secunia Research has reported a vulnerability in multiple browsers, which can be exploited by malicious people to spoof the content of websites.

The problem is that a website can inject content into another site's window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website.

Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_window_injection_vulnerability_test/

[source]

A workaround for Mozilla-based browsers is available.

References

CVE Name CVE-2004-1156
CVE Name CVE-2004-1157
CVE Name CVE-2004-1158
CVE Name CVE-2004-1160
URL http://mozillanews.org/?article_date=2004-12-08+06-48-46
URL http://secunia.com/advisories/13129/
URL http://secunia.com/advisories/13253/
URL http://secunia.com/advisories/13254/
URL http://secunia.com/advisories/13402/
URL http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
URL http://secunia.com/secunia_research/2004-13/advisory/
URL http://www.kde.org/info/security/advisory-20041213-1.txt
URL https://bugzilla.mozilla.org/show_bug.cgi?id=103638
URL https://bugzilla.mozilla.org/show_bug.cgi?id=273699

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.