lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 18 Nov 2006 13:43:28 +0000
From: pagvac <unknown.pentester@...il.com>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Sage cross-context scripting -> LOCAL-CONTEXT SCRIPTING

Correct me if I'm wrong but the following description from
<http://www.securityfocus.com/bid/19928/discuss> is wrong:

"Attacker-supplied HTML and script code would execute in the context
of the affected website"

Code is NOT executed within the context of the affected site but
rather within LOCAL CONTEXT.

I tested this vulnerability myself, and I can confirm that it allows
you to read arbitrary files from the local filesystem by getting
someone to subscribe to your malicious RSS feed (the feed needs to be
read with Sage Firefox extension). The reason for getting scripting in
the local context is because the feed is stored locally, and then the
injected scripting code is executed.

Furthermore David Kierznowski should also be credited with the
discovery of this vulnerability (in addition to pdp and Kevin
Hamilton):

http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/

Additionally, as an update, there are 2 new cross-context scripting
vulnerabilities found in Sage by David Kierznowski and Rick. Then
again, we have LOCAL CONTEXT SCRIPTING. So forget about restrictions
to running scripts within the context of the vulnerable site:

http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2/
http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2/#comment-1058

Finally, I'd like to make clear that Firefox *doesn't* show any
security warning when executing JavaScript locally (whereas IE
*does*). So when exploiting this cross-context scripting vulnerability
in Sage, Firefox will show NO SECURITY WARNING to the user whatsoever.

More on Firefox not showing security warnings when launching evil HTML
files locally:

http://www.gnucitizen.org/blog/web-pages-from-hell-2/

-- 
pagvac
[http://ikwt.com/]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ