http://hackademix.net/2007/08/07/java-evil-popups
Kind of scary, but I can still see my menu bar on a mac, so I know what's real and what's not. Also, a simple cmd+w closes it, so much for not being able to close it!
... and if you disable java altogether, there's no problem! :D
Noscript (http://noscript.net/) for the win. :)
I was able to ahve ti go truly fullscreen only when I
1) Unlocked my tray
2) closed all 'docked' windows (Trillian, wigets, etc..)
So..? Not that impressive.
~Hdx
A lot of people don't have docked programs, so it is rather impressive. And even if it covers your browser only, if you use this to present the user with a fake browser, you can potentially do a lot of damage.
In case anyone's wondering, I tried this on my dual monitor set up. When I ran the JavaScript test (I'm on Firefox, so, Gecko-based) the PWND window showed up on my default monitor, but the taskbar still showed. My secondary monitor, which I (luckily?) was browsing on at the time, was unaffected.
Apparently I'm in the safe zone. And congrats to iago on 12,000 posts.
EDIT -
function popup() {
if(typeof(java) == "undefined") {
window.onload = function() {
document.getElementById("nojava").innerHTML =
"Your browser doesn't support LiveConnect or you've got Java disabled!";
};
return;
}
var w = new java.awt.Window(new java.awt.Frame());
var label = new java.awt.Label("PWND");
label.setFont(new java.awt.Font("Serif", java.awt.Font.BOLD, 80));
label.setAlignment(label.CENTER);
label.setForeground(java.awt.Color.white);
w.setBackground(java.awt.Color.black);
w.setLayout(new java.awt.BorderLayout());
w.add(label, java.awt.BorderLayout.CENTER);
w.setLocation(0, 0);
var d = java.awt.Toolkit.getDefaultToolkit().getScreenSize();
d.height += 80;
w.setSize(d);
w.setVisible(true);
}
And I'm sort of laughing a bit now that I realize this can be exploited in Firefox and not Internet Exploder. Wait, what?!?!
This is reportedly exploitable on all major browsers (IE, FF, Opera).
Eh, it's much easier in Firefox, since in IE you need to download the whole applet and whatnot. It's still as easy to get sucked in, but Firefox facilitates it being done easier for the programmer.
Quote from: iago on August 08, 2007, 02:52:31 PM
Noscript (http://noscript.net/) for the win. :)
Noscript is not worth the huge pain in the ass that it is. This should be a fairly easy to fix exploit.
Quote from: unTactical on August 16, 2007, 11:37:56 AM
Quote from: iago on August 08, 2007, 02:52:31 PM
Noscript (http://noscript.net/) for the win. :)
Noscript is not worth the huge pain in the ass that it is. This should be a fairly easy to fix exploit.
I don't consider it a pain at all, I have it installed on all my computers. Most good sides (including the SMF forum) can operate 100% without JavaScript.
I think the internet isn't worth the huge pain in the ass that it is without noscript :|