CERTVU:262350Mozilla status elements can be disabled via JavaScript
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.02 Low
EPSS
Percentile
88.8%
Overview
Mozilla allows websites to disable various browser status elements. This allows websites to create spoofed dialogs using XUL.
Description
Certain Mozilla web browser status elements, such as the address bar, status bar, and navigation controls, can be disabled remotely by web sites using JavaScript. Consequently, attackers can design malicious web sites that disable these native elements and, using XUL, recreate pages that look like native Mozilla dialogs and windows. (XUL is Mozilla’s XML-based user interface. It allows for the development of cross-platform applications.)
Impact
An attacker could convince a user that they were viewing a native Mozilla dialog, when in fact they are visiting a page created by the attacker. The attacker could use additional social engineering techniques to trick the victim into disclosing sensitive information such as credit card numbers, account numbers, and passwords. The attacker could also spoof pop-up windows that do not display the address bar.
Solution
Disable the ability to hide status items
By performing the following steps, it is possible to prevent JavaScript from disabling status elements. This will make XUL-created pages appear distinct from native Mozilla dialogs.
1. Enter “about:config” in Mozilla’s address bar. This will display Mozilla’s configuration values.
2. Set the following values to **true**:
dom.disable_window_open_feature.titlebar dom.disable_window_open_feature.close dom.disable_window_open_feature.toolbar dom.disable_window_open_feature.location dom.disable_window_open_feature.directories dom.disable_window_open_feature.personalbar dom.disable_window_open_feature.menubar dom.disable_window_open_feature.scrollbars dom.disable_window_open_feature.resizable dom.disable_window_open_feature.minimizable dom.disable_window_open_feature.status
These preferences can also be set via the user.js file.
Vendor Information
262350
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Mozilla __ Unknown
Notified: August 04, 2004 Updated: December 16, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23262350 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://secunia.com/advisories/12188/>
- <http://www.securityfocus.com/bid/10832>
- <http://xforce.iss.net/xforce/xfdb/16837>
- <https://bugzilla.mozilla.org/show_bug.cgi?id=176304>
- <http://bugzilla.mozilla.org/show_bug.cgi?id=244965>
- <http://bugzilla.mozilla.org/show_bug.cgi?id=22183>
Acknowledgements
This vulnerability was reported by David Ahmad. The workaround was provided by Asa Dotzler.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2004-0764 |
|---|---|
| Severity Metric: | 1.04 Date Public: |
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.02 Low
EPSS
Percentile
88.8%