lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20e4478be9fd4937b6ad47379fb8fa23@mccanless.us>
Date: Sat Jan 14 16:02:20 2006
From: lists at mccanless.us (lists)
Subject: Firefox 1.5 allow cross-domain posting to secured
	pages

I reported this to Bugzilla over a year ago (256202) but looks like they don't plan on fixing it....

If a form attempts to post data to a site that is secured by basic auth and the site is outside the current domain, then Firefox dutifully alerts you that an attempt is being made at cross-domain posting.  

Example 1: 

You are at site www.abc.com and a form attempts to post form data  to www.123.com which is secured by basic authorization. Using a URL in the form of username:password@....com, Firefox alerts you.

However, just drop a hidden IFRAME in the form, set its src to username:password@....com and Firefox is fooled into thinking that it is not a cross-domain posting.  So no warning pops up.  You can also drop the U/P on the URL in the forms action since the IFRAME has already logged in.

While there are probably lots of annoying things that can arise from this, one novel exploit came to mind.  Since so many users never change the default password for home routers and since routers use basic authentication for logins, you could devise a form that changes router settings of a user and that user is never notified.  One could easily create a simple html page that has a form that posts form data to a common IP for home routers using the default U/P.  This could be used to turn off the firewall or turn on remote management.  Then just log the IP's of visitors and write a script to test if it worked.  I tested this on some of the most common routers with  Firefox 1.5 and it works like a charm with no notification to the user.  

Hopefully, Firefox will fix this now that is has been posted.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ