| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: divzero at gmail.com (Rudolf Polzer) Subject: multiple web browsers, multiple bugs - onUnload and location.href WARNING: please open a new browser instance for it. Try http://www.informatik.uni-frankfurt.de/~polzer/rbiclan/location The page is SUPPOSED to prevent going to somewhere else by changing the URL back in onUnload (even that is already a reason to disable JavaScript). The interesting part is: depending on browser, you see different bugs. Konqueror: an endless loop of alert boxes, seems to have crashed GNOME (killing konqueror did not make GNOME usable). Mozilla, Netscape 7 or Firefox: almost works correctly. Except for two small bugs: View source shows the source of Google or where you TRIED to go to, while you SEE the unload-trap page. The other bug: when you close the browser window, onUnload is executed TWICE (you see two alert boxes, with the number increasing) and the new page is loaded, but not displayed. But the view-source bug somehow looks suspicious. Do other parts of Mozilla think it was another website too? IE (according to someone on IRC, not verified by me): seems to work perfectly. For one time. Sometimes it goes to google, displays Google, but shows the www.informatik.uni-frankfurt.de URL in the location bar. Entering a search expression then uses the wrong domain name. Could perhaps be used for reading content from "foreign" web sites, didn't try. Netscape 4: seems to work perfectly, no view-source bug or similar. Until you close the browser window, where it becomes an endless alert loop. Opera: works perfectly, no bugs found. Except for that this is evil. Links2: does not support onUnload (good thing!), therefore seems not to be vulnerable. However, do not expect a browser that crashed on "var i = 203; ''.charAt(i);" where 203 was a "magic number" and whose source has variables and comments in Czech only. It took them long to fix that bug I reported, but at least they finally did it. Even though, that made me change to w3m. Except for IE no "big holes" seem to be possible with that. However, it proves that onUnload is evil (we already know that) and perhaps shows new, perhaps unknown until now, browser bugs that may lead to something exploitable. Have fun!
Powered by blists - more mailing lists