Slashdot Mirror
Vulnerability In Firefox Popup Blocker
cj writes in with news of a vulnerability in Firefox's stock popup blocker discovered by Michal Zalewski. The vulnerability can allow a malicious user to read files from an affected system. The attacker would "need to plant a predictably named file with exploit code on the target system. This sounds hard, but isn't," according to the article.
Can anyone test?
, 'new2',''),
.000 after it).
Nope, because no example exploit is given and the means of exploitation looks rather unlikely:
"To create a popup warning, a script embedded on the page calls: window.open('file:///c:/windows/temp/xxxxxxx.htm'
with a name calculated by repeating a procedure implemented in SetUpTempFile() with a seed calculated by the server based on reported system time (p2.html?time)."
1. It assumes that the temp file is c:/windows/temp. It isn't, unless you're running Windows 95, and only then if you've not changed it from default. That's the *system* default temp file. The *user* temp directory is inside local settings in the user specific area (much harder to find out remotely. Maybe not impossible, but you'd have to get lucky (it's not just the username as the directory name.. it has things like
2. Calculating the seed to that accuracy is damned hard.
Windows is slightly worse, but not by a lot.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Firefox doesn't have a "Hold Ctrl to disable pop-up blocking" feature. Maybe you're thinking of another browser or a Firefox extension?
This vulnerability involves the "Show blocked popup" feature, which you can activate from the status bar icon indicating that a popup was blocked. If the popup is allowed in the first place, the security check works correctly.
The shareholder is always right.