Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Firefox file download spoofing vulnerability
Posted by: Ivan
Date: December 24, 2008 02:04PM

I found some vulnerability in file download logic. We can use some design mistakes for spoofing file download location and make user to download malicious file.

There are two methods:

- (less critical) We can start two download dialogs with the same file name but separated fileystem location and put one behind the another.
User can be tricked into clicking twice on download button, and download malicious file.

- We can show eg picture file in the browser window and start download dialog for the file with the same name but another location.

To better understanding I create POC: http://security-net.biz/files/popupDownload/index.php

The best way to solve this is to set new window/download dialog to topmost so user can't interact with another windows. Opera, IE and Safari have similiar solutions.


Secunia says that this is not vulnerability because download dialog show filename and domain. And this is right but there is better solution, I think ...
I send this to Mozilla too, but there is no reply.

Anyway, I wanted to share this with people ...

http://www.security-net.biz/

Options: ReplyQuote
Re: Firefox file download spoofing vulnerability
Posted by: TheInsider
Date: December 24, 2008 04:05PM

This can't be defined as a bug/vulnerability/weakness.
This is a logical attack, an issue that will always exist...
you can't do much to solve it except for a few specific "silly patches", the kind which real products won't do.

But it is a great idea, this is the kind of attack which survives forever, and are always interesting :)

Options: ReplyQuote


Sorry, only registered users may post in this forum.