lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 16 Apr 2003 03:28:52 -0000
From: Liu Die Yu <liudieyuinchina@...oo.com.cn>
To: bugtraq@...urityfocus.com
Subject: i cracked restriction of 'zone' in mozilla.




i cracked restriction of 'zone' in mozilla.
("that's all" is the end of file if you are in a hurry)

[tested]
OS:"Windows Server 2003"

NETSCAPE Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; 
rv:1.0.1) Gecko/20020823 Netscape/7.0 "
(downloaded on "2003/3/31 UTC+800")
MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; 
rv:1.3) Gecko/20030312"
(downloaded on "2003/4/1 UTC+800")
MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; 
rv:1.4a) Gecko/20030401"
(downloaded on "2003/4/15 UTC+800")

[demo]
http://liudieyuinchina.vip.sina.com/EdgeLink/EdgeLink-MyPage.htm
or
UMBRELLA.MX.TC ===> EdgeLink-MyPage section.
(disable Popup killer.)

[exp]
Mozilla does not wash links on the edge of transforming from one document 
to another.

{0}before content of the next document is loaded & after the security ID 
of current document is changed to the security ID of the next one(such 
period exists.):

{1}links including their "onclick" property in current document remain 
alive(=clickable).
{1.1}i can access my link if i have its reference.
now,i call its "onclick" via the reference of link:
{1.2}"onclick" is executed with security ID of the next page which is 
going to be loaded.
(boring? "[demo-exp]" is easier.)

[demo-exp]
okay, this is easier. listen up:

task:
show "document.cookie" at "www.securityfocus.com", via "window.alert".

[*]our "LINK" page: it's in our 'zone' and contains a link with 
onclick="alert(document.cookie)"

[*]"main" script lives in another page; 
now, "main" script plays the trick:
open "LINK" page in another window - "mywin".
save the reference of the link in "LINK" page to "MyLink" variable.
tell "mywin" to go to "http://www.securityfocus.com/".
wait until the security ID changes
("security ID changes"<==>"main script is unable to get protected info"--
>"try{[Get protected info in mywin]}catch{[now, security ID is 
changed.]}" )

call "MyLink.onclick()" *immediately*.
/*
we call that immediately, so the time is {0}(refer to "{0}" in "[exp]");
even though the security ID is changed to that 
of "http://www.securityfocus.com", our link remains alive.{1}
even though the security ID is victim's id, main script still can 
call "MyLink.onclick()".{1.1}
at last, {1.2}
*/



that's all.



[how]
from small beginnings come great things!
read:

http://liudieyuinchina.vip.sina.com/EdgeLink/EdgeLink-How.htm
or
UMBRELLA.MX.TC ===> EdgeLink-How section.

if you are interested in how i got this in 5 hours after i downloaded 
mozilla.

[people]
greetings to you all!
and thanx to
"the Pull", dror, bin, gean, dross, iainm, and always: mom and dad - for 
their help.

[extra offer]
if you are browsing through web daily with MSIE, try:

http://liudieyuinchina.vip.sina.com/domex/aPoP
or
DOMEX.INT.TC ===> aPoP section.

(it's coded by me; i hope you like it :-) )
BTW,i'm very proud of my "PuriWeb" function in it.


-----
all mentioned resources can always be found at UMBRELLA.MX.TC

[contact]
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ