lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 25 Feb 2004 22:51:31 +0100 (CET)
From: Andreas Sandblad <>
To: bugtraq <>
Subject: Sandblad #13: Cross-domain exploit on zombie document with event

Title:      Cross-domain exploit on zombie document with
            event handlers
Date:       2004-02-25
Software:   Mozilla web browser
Status:     Patched
Type:       Cross site scripting
Impact:     Site spoofing, cookie/password theft
Author:     Andreas Sandblad,

When linking to a new page it is still possible to interact with the old
page before the new page has been successfully loaded (zombie document).
Any javascript events fired will be invoked in the context of the new
page, making cross site scripting possible if the pages belong to
different domains.

Mozilla Security Team contacted. Assigned Bugzilla bug #227417:

Fix added.

Mozilla has several security layers to prevent exploitation of zombie
documents. Most important the origin of all javascript code is checked
before execution. The problem occurs with event handlers used in tags.
Some attempts are made to disable them, but can easily be bypassed.

The trick is to fill the current document with as many event handlers as
possible and then redirect to a new page. If the event handler is invoked
at the right time it will be executed in the context of the new page, thus
making cross site scripting possible.

Andreas Sandblad is not responsible for the misuse of the information
provided in this advisory. The opinions expressed are my own and not of
any company. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
advisory. Any use of the information is at the user's own risk.

Please send thoughts and comments to:              _     _                              o' \,=./ `o
                                                    (o o)
Andreas Sandblad, UmeƄ Sweden.

Powered by blists - more mailing lists