lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <4725527.101801247725088592.JavaMail.servlet@perfora>
Date: Thu, 16 Jul 2009 02:18:08 -0400
From: advisories@...ern0t.net
To: <lcamtuf@...edump.cx>
Cc: <bugtraq@...urityfocus.com>
Subject: Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and
 Chrome

I agree completely with mz,


This is just how FireFox works, the data:text/html,base64;somestringinbase64== is just pure functionality. The redirection parameters is not equal to a vulnerability since as mz said, the attacker could just redirect to his own site.

The best way to defend against any Cross Site Scripting attacks is to sanitize all inputs and outputs properly on your website and perhaps run NoScript as an extra safety precaution as well.

If it was possible to execute system() commands directly through the browser and not javascript nor html then that would be a vulnerability since One could almost do anything with a malicious site, if the input in this example to this function wouldn't be sanitized of course.


Best Regards,
MaXe

> To bypass protection from JavaScript code execution via refresh header it's
> needed to use data: URI, which will be containing requisite JS code.
> [...] After I informed Mozilla, they declined to fix this vulnerability.

"Refresh" or "Location" redirection in Firefox will not bestow a
security context derived from the referring site upon the executed
code. This is different from the behavior on javascript: URLs.
Granted, it and also somewhat counterintuitive, as other types of
data: navigation - e.g., link navigation, IFRAMEd content, location.*
updates - do inherit that context.

This means that there is nothing to be gained by redirecting to data:
through www.example.com; he could as well just redirect to his own
site and run any potentially malicious JavaScript there.

/mz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ