lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0707082344500.17746@dione>
Date: Mon, 9 Jul 2007 15:37:26 +0200 (CEST)
From: Michal Zalewski <lcamtuf@...ne.ids.pl>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Firefox wyciwyg:// cache zone bypass

There is an interesting vulnerability in how Mozilla Firefox handles
internal wyciwyg:// pseudo-URIs. These cache-related resource identifiers
are meant to be inaccessible by the user - but there are at least three
routes to bypass these restrictionss, one of which - HTTP 302 redirect -
also improperly employs same-domain policy checks.

This combo flaw enables attackers to intercept sensitive data, perform
cache poisoning, or carry out URL spoofing (including SSL certs), against
sites that scriptually render documents on client side, and hence produce
wyciwyg:// resources to begin with. Although not all sites are susceptible
to attacks, a good chunk of "Web 2.0", a selection of popular webmails,
and several major banks, very much are.

A quick demo and a more detailed discussion can be found here:

  http://lcamtuf.coredump.cx/ffcache/

PS. The two remaining routes to bypass wyciwyg:// restrictions
(XMLHttpRequest() and view-source: URIs) appear to properly implement
same-domain checks (although view-source seems to be nevertheless not
functioning as intended). document.write() + XMLHttpRequest to wyciwyg://
URIs can be used by rogue websites to conveniently store and retrieve
persistent "markers" on visitor's machine regardless of cookie settings;
that's not a disaster, but still not very nice.

PS2. Bugzilla entry here - source patch available:
https://bugzilla.mozilla.org/show_bug.cgi?id=387333

Cheers!
/mz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ