lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <72daeffd0812180100p6698b729j9e3f783c2db98105@mail.gmail.com>
Date: Thu, 18 Dec 2008 01:00:22 -0800
From: "Chris Evans" <scarybeasts@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Firefox cross-domain text theft (CESA-2008-011)

Hi,

Firefoxes 2.0.0.19 and 3.0.5 fix a cross-domain theft of textual data.
The theft is via cross-domain information leaks in JavaScript error
messages for scripts executed via <script src="remote_domain.org">.
The JavaScript error messages are made available to the window.onerror
handler. In some cases, JavaScript error messages can contain pieces
of text from the remote domain as part of the error message, e.g.
"blah is not defined". This permits certain textual constructs to be
stolen cross-domain.

The broader issue was fixed in Firefox 3.0. However this fix was not
complete. The fix could be dodged by using another instance of the
"302 redirect trick". It was possible to cause the browser to believe
a remote script was in fact local, and therefore continue to reveal
JavaScript error messages.

Advisory: http://scary.beasts.org/security/CESA-2008-011.html

Blog post: http://scarybeastsecurity.blogspot.com/2008/12/firefox-cross-domain-text-theft.html

Cheers
Chris

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ