lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <3E9ED82E.9080001@scanit.be>
Date: Thu, 17 Apr 2003 18:37:02 +0200
From: Alla Bezroutchko <alla@...nit.be>
To: bugtraq@...urityfocus.com
Subject: Re: i cracked restriction of 'zone' in mozilla.


Liu Die Yu wrote:
> 
> i cracked restriction of 'zone' in mozilla.
> ("that's all" is the end of file if you are in a hurry)
> 
> [tested]
> OS:"Windows Server 2003"
> 
> NETSCAPE Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; 
> rv:1.0.1) Gecko/20020823 Netscape/7.0 "
> (downloaded on "2003/3/31 UTC+800")
> MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; 
> rv:1.3) Gecko/20030312"
> (downloaded on "2003/4/1 UTC+800")
> MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; 
> rv:1.4a) Gecko/20030401"
> (downloaded on "2003/4/15 UTC+800")

Also tested and found vulnerable:

Netscape 6.2.3, Netscape 7.0, Netscape 7.01, Netscape 7.02 on Linux.

Mozilla 1.0.2, 1.1, 1.2.1, 1.3a on Linux and Mozilla 1.0 on Windows.

Beonex 0.8.2-stable and Phoenix 0.5 (Mozilla rv.: 1.3a Gecko 
2002107) on Windows.

> [exp]
> Mozilla does not wash links on the edge of transforming from one document 
> to another.
> 
> {0}before content of the next document is loaded & after the security ID 
> of current document is changed to the security ID of the next one(such 
> period exists.):
> 
> {1}links including their "onclick" property in current document remain 
> alive(=clickable).
> {1.1}i can access my link if i have its reference.
> now,i call its "onclick" via the reference of link:
> {1.2}"onclick" is executed with security ID of the next page which is 
> going to be loaded.
> (boring? "[demo-exp]" is easier.)

Internet Explorer throws an exception when you try to call the 
onclick function by saved reference - perfectly correct 
behavior. Opera seems to silently ignore the call. For Opera it 
seems to be a common behavior to ignore bad calls without 
throwing an exception (another example is calling document.write 
by saved reference on a document that changed origin).

Finally, shameless plug. Our Browser Security Test 
(http://bcheck.scanit.be/bcheck/) now checks for this vulnerability.

Alla

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ