lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <e5312d6a04072203503a669f61@mail.gmail.com>
From: divzero at gmail.com (Rudolf Polzer)
Subject: multiple web browsers, multiple bugs - onUnload and location.href

WARNING: please open a new browser instance for it.

Try http://www.informatik.uni-frankfurt.de/~polzer/rbiclan/location

The page is SUPPOSED to prevent going to somewhere else by changing
the URL back in onUnload (even that is already a reason to disable
JavaScript).

The interesting part is: depending on browser, you see different bugs.

Konqueror: an endless loop of alert boxes, seems to have crashed GNOME
(killing konqueror did not make GNOME usable).

Mozilla, Netscape 7 or Firefox: almost works correctly. Except for two
small bugs: View source shows the source of Google or where you TRIED
to go to, while you SEE the unload-trap page. The other bug: when you
close the browser window, onUnload is executed TWICE (you see two
alert boxes, with the number increasing) and the new page is loaded,
but not displayed. But the view-source bug somehow looks suspicious.
Do other parts of Mozilla think it was another website too?

IE (according to someone on IRC, not verified by me): seems to work
perfectly. For one time. Sometimes it goes to google, displays Google,
but shows the www.informatik.uni-frankfurt.de URL in the location bar.
Entering a search expression then uses the wrong domain name. Could
perhaps be used for reading content from "foreign" web sites, didn't
try.

Netscape 4: seems to work perfectly, no view-source bug or similar.
Until you close the browser window, where it becomes an endless alert
loop.

Opera: works perfectly, no bugs found. Except for that this is evil.

Links2: does not support onUnload (good thing!), therefore seems not
to be vulnerable. However, do not expect a browser that crashed on
"var i = 203; ''.charAt(i);" where 203 was a "magic number" and whose
source has variables and comments in Czech only. It took them long to
fix that bug I reported, but at least they finally did it. Even
though, that made me change to w3m.

Except for IE no "big holes" seem to be possible with that. However,
it proves that onUnload is evil (we already know that) and perhaps
shows new, perhaps unknown until now, browser bugs that may lead to
something exploitable. Have fun!


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ