SUSSY's Profile

Member since February 15, 2007

  • Name

    SUSSY

Favorite Files

Recent Posts

  1. Comment - Microsoft Fixes Zero-Day Word Flaws

    (Feb 15, 2007 - 8:15 AM)

    There is a serious vulnerability in Mozilla Firefox, tested with 2.0.0.1,
    but quite certainly affecting all recent versions.

    This makes it possible for evil.com to modify location.hostname as
    described above, and have the resulting HTTP request still sent to
    evil.com. Once the new page is loaded, the attacker will be able to set
    cookies for *.example.com; he'll be also able to alter document.domain
    accordingly, in order to bypass the same-origin policy for XMLHttpRequest
    and cross-frame / cross-window data access.

    A quick demonstration is available here:
    http://lcamtuf.dione.cc/ffhostname.html

    The impact is quite severe: malicious sites can manipulate authentication
    cookies for third-party webpages, and, by the virtue of bypassing
    same-origin policy, can possibly tamper with the way these sites are
    displayed or how they work.

    Regards,
    /mz