You are here: Known Vulnerabilities in Mozilla Products (Firefox 220.127.116.11) > MFSA 2007-24
Mozilla Foundation Security Advisory 2007-24
Title: Unauthorized access to wyciwyg:// documents
Announced: July 17, 2007
Reporter: Michal Zalewski
Fixed in: Firefox 18.104.22.168
Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents. It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++).