| Nasty Little FireFox Hole Discovered |
 |
 |
 |
| Written by Editor |
| Thursday, 15 February 2007 22:42 |
|
Security researcher Michal Zalewski has found a nasty little hole in the way FireFox writes to the 'location.hostname' DOM property. It is possible for a script to set a value in that normally would not be allowed as a hostname when parsing a regular URL including a string that contains \x00.Inserting a \x00 in a string inserted into 'location.hostname' triggers a logic behavior in the way the string is handled, DOM string variables are normally not NUL-terminated and thus the internal checks will consider the entire string. However, when the string is used within other parts of the application such as the DNS resolver it is treated differently. These other parts of the browser code operate on ASCIZ strings which are native to C/C++ thus anything after the \x00 is dropped silently. Using this trick it is possible for an attacker to trick the users browser to connecting to an alternate server by polluting the 'location.hostname' property with a \x00. At which point you can trick the user into viewing anything the attacker desires. For more information on this issue check out the Bugzilla entry for the issue. Add this page to your favorite Social Bookmarking websites          |
| Last Updated ( Thursday, 15 February 2007 22:42 ) |