Mozilla Foundation Security Advisory 2007-05

XSS and local file access by opening blocked popupsand local file access by opening blocked popups

Announced
February 23, 2007
Reporter
shutdown, Michal Zalewski
Impact
Moderate
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 1.5.0.10
  • Firefox 2.0.0.2
  • SeaMonkey 1.0.8

Description

shutdown reported that if you could convince a user to open a blocked popup you could perform a cross-site scripting attack against any site that contains a frame whose source is a data: URL. To accomplish this the attacker's site would have to frame the target site plus another frame whose source is the exact same data: url as the victim site, and then attempt to open a popup with a javascript: url from the data: frame. It is unclear whether any high-value target sites that match this description actually exist.

Similarly, Michal Zalewski reported that although pages loaded from the web normally cannot open windows containing local files, if you could convince a user to open a blocked popup then this restriction could be bypassed. In order to take advantage of this flaw the attacker would have to know the full path to a locally-saved file containing malicious script. He also reported that a flaw in the seeding of the pseudo-random number generator resulted in downloaded files being saved to temporary files with a reasonably predictable name. The two combined could be used to steal information saved on the local disk.

Workaround

Do not open blocked popups individually, instead either ignore them or decide to enable popups on a per-site basis.

References