lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <252277f40707140044l5dc12052kc73deb744baa63e8@mail.gmail.com>
Date: Sat, 14 Jul 2007 02:44:56 -0500
From: "Martin Aberastegue" <xyborg@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Opera/Konqueror: data: URL scheme address bar
	spoofing

Hi Robert, it works for me on Opera 9.21 (8776) WXP SP2.
I was trying to do the same with firefox and it seems to works too..
but you get the "data:text/html" on the beginning of the URL.

here you have a PoC for FF, it works on a 2.0.0.4 version
http://www.rzw.com.ar/ff_URL_spoofing.html


On 7/14/07, Martin Aberastegue <xyborg@...il.com> wrote:
> Hi Robert, it works for me on Opera 9.21 (8776) WXP SP2.
> I was trying to do the same with firefox and it seems to works too..
> but you get the "data:text/html" on the beginning of the URL.
>
> here you have a PoC for FF, it works on a 2.0.0.4 version
> http://www.rzw.com.ar/ff_URL_spoofing.html
>
>
> On 7/13/07, Robert Swiecki <jagger@...ecki.net> wrote:
> > With a specially crafted web page, an attacker can redirect
> > a www browser to the page, which URL (in the url bar) resembles
> > an arbitrary domain choosen by the attacker.
> >
> > It's possible due to the fact, that some web browsers incorrectly
> > display contents of the url bar while rendering pages based on the
> > 'data:' URL scheme (RFC 2397). Only the ending of the URL is
> > displayed. Padding the URL with whitespaces allows an attacker to
> > insert an arbitrary content into the browser url bar.
> >
> > http://alt.swiecki.net/oper1.html
> >
> > Tested with:
> >  * Opera 9.21 on Win 2003SE and Win XPSP2
> >  * Opera 9.21 on Linux
> >  * Konqueror 3.5.7 on Linux
> >
> > Pictures taken on my systems (using 1024x768 dekstop resolution)
> > http://alt.swiecki.net/operalin.png
> > http://alt.swiecki.net/operawin.png
> > http://alt.swiecki.net/konq.png
> >
> > Successfull attack depends on the proper construction of the
> > 'data:' URL. An algorithm could utilize JS
> > document.body.clientWidth/Height properties to calculate the
> > best url padding for the given browser.
> >
> > PS. Sometimes Opera web browser displays the beggining of
> > the 'data:' URL (correct behaviour), e.g. during
> > browser startup with immediate redirect to the last visited page.
> >
> > --
> > Robert Swiecki
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> --
> Martin Aberastegue
> http://www.rzw.com.ar
>


-- 
Martin Aberastegue
http://www.rzw.com.ar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ