[CVE-2012-0474] Mozilla Firefox 8.0 SSL/TLS Spoofing and Saved Password Stealing

Unspecified vulnerability in Mozilla Firefox allows remote attackers to spoof SSL/TLS and to steal saved password. Credit to Jordi Chancel

High	XXXX-XX-XX

[CVE-2012-3556 & CVE-2012-3555] Opera 11.64 Social Engineering Cross-Site Scripting, Code Execution and SSL-TLS Spoofing

1/ When a user is interacting with a window, that window should be visible to the user, to ensure that the user realizes it is there. If a page is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end up performing undesirable actions on that page. Similar attacks could also be used against Opera's preferences to change preferences or select executables to be run by Opera. Additional social engineering steps are needed to ensure that the user presses the correct key sequence, without being able to show any relevant visual feedback, as the page cannot see that the keys are being pressed.

2/ When a user double clicks on a page, they may expect the two clicks to target the same object. If a page uses the first click to open a pop-up window in a predictable location, the second click may focus parts of the new window, such as its address field. If the page can then convince the user to activate a scripted URL seeded in the address field, on a newly loaded target page within the pop-up, it can allow cross site scripting against the target page. Similar attacks could also be used against Opera's preferences to change preferences or select executables to be run by Opera. Non-trivial social engineering would be required to ensure that the user followed the desired sequence of clicks and keypresses, at precisely the right speed, while ignoring the opening and loading of pages within the pop-up.

Moderate/High

[CVE-2012-3558 ] Opera Web Browser 11.64 Address Field Spoofing

Unspecified vulnerability in Opera allows remote attackers to spoof URL into the location bar. Credit to Jordi Chancel

Low/Moderate

[CVE-2012-1924] Opera 11.61 High Remote Code Execution

When the download dialog is displayed, it should always be visible to the user, to ensure that the user realizes it is there. If the dialog is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end up running a downloaded executable. Additional social engineering steps are needed to ensure that the user presses the correct key sequence, without being able to show any relevant visual feedback, as the page cannot see that the keys are being pressed

High	XXXX-XX-XX

[CVE-2012-1925] Opera 11.61 Remote download and execution vulnerability

Dialogs such as the download dialog are usually displayed on top of page content, to ensure that the user knows that the dialog is requesting attention. In some cases, this policy was not implemented correctly in Opera, allowing certain page content to overlay the dialog. In these cases, clicking the page content causes the dialog to be clicked instead. While an attacker may not have much control over the appearance of the overlapping content, they may be able to use it to trick the user into performing harmful actions, such as running a downloaded executable

High	XXXX-XX-XX

[CVE-2012-1928] Opera 11.61 Address Bar Spoofing

The address field should always show the address of the page that is being displayed. In certain cases, if a target site responds slowly, reloading an attacking page and redirecting to the target page can cause the address field to show the target site's address, while the attacking site is still being displayed.

Low/Moderate

XXXX-XX-XX

[0day] Google Chrome Address Bar Spoofing

Unspecified vulnerability in Google Chrome allows remote attackers to spoof URL into the location bar. Credit to Jordi Chancel

Low/Moderate

XXXX-XX-XX

[0day] [CVE-XXXX-XXXX] Mozilla Firefox and others Critical Clickjacking with Malicious addon

Unspecified vulnerability in Mozilla Firefox allows remote attackers to cover an addon XPI. Credit to Jordi Chancel

Critical

XXXX-XX-XX

0DAY Mozilla Firefox URL and SSL/TLS Spoofing

Unspecified vulnerability in Mozilla Firefox allows remote attackers to spoof URL and SSL/TLS into the location bar. Credit to Eddy Bordi and Jordi Chancel

High	XXXX-XX-XX

0DAY Mozilla Firefox 3.6.X ClickJacking of Java Applet

Unspecified vulnerability in Mozilla Firefox allows remote attackers to cover a Java Applet. Credit to Jordi Chancel

Critical

XXXX-XX-XX

Google Chrome URL Bar Spoofing

Unspecified vulnerability in Google Chrome before 15.0.874.102 allows remote attackers to spoof the URL bar via unknown vectors. Credit to Jordi Chancel

High	2011-10-25

Google Chrome URL bar spoofing with drag+drop of URLs.

Security researcher Jordi Chancel reported a vulnerability in Google Chrome before 15.0.874.102 that allows user-assisted remote attackers to spoof the URL bar via a vector involving a drag and drop.

Moderate

2011-10-25

Google Chrome URL Bar Spoofing

Security researcher Jordi Chancel reported a vulnerability in Google Chrome before 14.0.835.163 that allows user-assisted remote attackers to spoof the URL bar via a vector involving the forward button.

Moderate/High

2011-09-17

Mozilla Firefox Memory corruption due to multipart/x-mixed-replace images

Security researcher Jordi Chancel reported that Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a multipart/x-mixed-replace image.

Critical

2011-06-21

Google Chrome URL Bar Spoofing

Security researcher Jordi Chancel reported a vulnerability in Google Chrome before 11.0.696.57 that allows user-assisted remote attackers to spoof the URL bar via vectors involving a redirect and a manual reload.

Moderate/High

2011-04-01

Google Chrome URL Bar Spoofing

Security researcher Jordi Chancel reported a vulnerability in Google Chrome before 9.0.597.107 that allows remote attackers to spoof the URL bar via unknown vectors.

High	20011-03-01

Mozilla Firefox Overflow caused by corrupted JPEG image

Security researcher Jordi Chancel reported that a JPEG image could be constructed that would be decoded incorrectly, causing data to be written past the end of a buffer created to store the image. An attacker could potentially craft such an image that would cause malicious code to be stored in memory and then later executed on a victim's computer.

Critical

2011-03-01

Opera Integer Truncation Remote Code Execution

When certain large form inputs appear on a web page, they can cause Opera to crash. In some cases, the crash can lead to memory corruption, which could be used to execute code. To inject code, additional techniques will have to be employed. Credit to Jordi Chancel

Critical

2011-01-27

Opera HTML sanitization bypass

Sites that accept content from untrusted users are expected to sanitize that content, to remove potentially harmful scripts and scripted attributes. In cases where a link is provided, sites would typically want to remove any links which use scripted protocols. In Opera, if the protocol string contains Tab characters, the character will be ignored, and the link will still be treated as a scripted protocol. This can cause naive sanitization filters not to realize that the link is potentially harmful. Jordi Chancel reported this vulnerability

Low/Moderate

2010-12-16

Opera URL Bar Spoofing , Cross Domain Scripting and Remote Code Execution

Scripts on a page are supposed to be restricted so that they can only interact with other pages from the same domain and security context. Carefully timed reloads and redirects, when combined with appropriate caching, can cause scripts to execute in the wrong security context in Opera. This allows cross site scripting (XSS). In some cases, the address bar will also show the address of the target page. With minimal user interaction, this particular XSS vector may also be used to modify Opera's configuration, and this may in turn be used to execute arbitrary code on the computer. Credit to Jordi Chancel

Critical

2010-09-13

Mozilla Firefox SSL Spoofing

Security researcher Jordi Chancel reported that the location bar could be spoofed to look like a secure page when the current document was served via plaintext. The vulnerability is triggered by a server by first redirecting a request for a plaintext resource to another resource behind a valid SSL/TLS certificate. A second request made to the original plaintext resource which is responded to not with a redirect but with JavaScript containing history.back() and history.forward() will result in the plaintext resource being displayed with valid SSL/TLS badging in the location bar.

Moderate

2010-07-20

Google Chrome Cross Origin Bypass

Security researcher Jordi Chancel reported that the Google URL Parsing Library (aka google-url or GURL) in Google Chrome before 4.1.249.1064 allows remote attackers to bypass the Same Origin Policy via character tabulation or others escape characters inside javascript: protocol string.

High	2010-04-27

Mozilla Firefox URL Bar spoofing PoC

Security researcher Jordi Chancel reported an issue similar to one fixed in mfsa2009-44 in which a web page can set document.location to a URL that can't be displayed properly and then inject content into the resulting blank page. An attacker could use this vulnerability to place a legitimate-looking but invalid URL in the location bar and inject HTML and JavaScript into the body of the page, resulting in a spoofing attack.

Moderate

2009-12-15