Mozilla Foundation Security Advisory 2006-34

XSS viewing javascript: frames or images from context menu

Announced
June 1, 2006
Reporter
Paul Nickerson
Impact
Moderate
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 1.5.0.4
  • SeaMonkey 1.0.2

Description

Paul Nickerson demonstrated that if an attacker could convince a user to right-click on a broken image and choose "View Image" from the context menu then he could get javascript to run on a site of the attacker's choosing by making the image src attribute a javascript: URL and loading the target site on mousedown. This could be used to steal login cookies or other confidential information from the target site.

Similarly, if a user could be convinced to right-click and choose "Show only this frame" on a frame whose src attribute is a javascript: URL then that script would run in the context of the framing site. In order for this variant to be effective not only would you have to convince the user to view the frame, you would have to find an interesting target site that can be made to host a frame of the attacker's choosing.

Workaround

Be wary when sites give "work around" instructions for odd breakage on their sites. If images have been broken long enough to have posted instructions why can't the site simply make images work like every other site on the internet? Be cautious in such situations, and consider copying the URL instead and pasting it into a new window so you can see what it really is first.

References