lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <7af564ad0807040246s2ebd7a20r2e84e2dd233f1314@mail.gmail.com>
Date: Fri, 4 Jul 2008 12:46:05 +0300
From: "Jouko Pynnonen" <jouko@....fi>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Facebook script injection vulnerabilities

The two remaining vulnerabilities seem to have been fixed today.
Updated information:


7) Escaping JS sandbox with literal String reference
Impact: execution of unrestricted JS on canvas pages or profiles
(mouseclick required on profile pages)
Browsers: FF
Description: __parent__ property of a String object can be referenced
using a literal expression and the "bracket syntax" to get a Window
reference.
Reported: June 21, 2008
Fixed: yes
Example:

   "a"["__parent__"].eval("alert('any javascript here');");



8) Escaping JS sandbox with literal RegExp reference
Impact: execution of unrestricted JS on canvas pages or profiles
(mouseclick required on profile pages)
Browsers: FF
Description: __parent__ property of a RegExp object can be referenced
using a literal expression and the "bracket syntax" to get a Window
reference.
Reported: June 21, 2008
Fixed: yes
Example:

  /a/["__parent__"].eval("alert('any javascript here');");




On Thu, Jul 3, 2008 at 2:01 AM, Jouko Pynnonen <jouko@....fi> wrote:
> Hello,
>
> This is a summary of various Facebook security issues found and
> reported since June 13, 2008. Two of the vulnerabilities still remain
> on the site, so no details of them are disclosed here. The rest have
> been fixed.
>
> Any of these could be exploited to take over the victim's web browser
> temporarily to e.g. read inbox messages, forcibly install FB
> applications, manipulate friend lists, post messages as the victim
> user, etc. Any of these would also allow creation of a
> self-propagating JavaScript virus/worm.
>
> Most of the issues require the victim user to click on a profile box
> or visit a canvas page of an application in order to trigger the
> injected JavaScript. Issues 2) and 3) don't require mouse clicks.
>
> The vulnerabilities were tested with two browsers: Firefox 3 (Linux +
> Windows) and Internet Explorer 7.
>
>
>
> 1) Escaping JS sandbox with literal Function constructor reference
> Impact: execution of unrestricted JS on canvas pages or profiles
> (mouseclick required on profile pages)
> Description: The JS sandbox denies references to Function.constructor
> but using a literal such as "function f() { }" in the code and
> refering to its constructor with the "bracket syntax" was possible.
> The example below uses this method and calls the constructor with a
> string argument, then calls the resulting Function object.
> Browsers: FF, IE
> Reported: June 13, 2008
> Fixed: yes
> Example:
>
>   (function f(){}["constructor"]("alert('any javascript here');"))();
>
>
>
> 2) Fb:silverlight JS injection
> Impact: execution of unrestricted JS on canvas pages, profiles
> Description: Simple XSS, described in the previous message to full-disclosure.
> Browsers: FF, IE
> Reported: June 16, 2008
> Fixed: yes
> Example:
>
>  <fb:silverlight silverlightsrc="a"
>   width="\" height=",any_javascript_code_here);//" />
>
>
>
> 3) Injecting JS in Feeds
> Impact: execution of unrestricted JS when viewing Feeds on profile
> page or the "home" page
> Description: Insufficient input validation in the
> publishTemplatizedAction API method.
> Browsers: FF, IE
> Reported: June 16, 2008
> Fixed: yes
> Example:
>
>  # using the perl API
>
>  $facebook->feed->publish_templatized_action( title => "My Title",
>        title_template => "{actor} is testing feed stories",
>        body_template => "hello",
>        image_1 => "http://www.mysite.com/image.gif'\"
> onload=(function&#9;f(){}['constructor']('alert(1)'))();",
>        image_1_link => "http://www.mysite.com" );
>
>
>
> 4) Escaping JS sandbox with literal Number reference
> Impact: execution of unrestricted JS on canvas pages or profiles
> (mouseclick required on profile pages)
> Description: Using the "bracket syntax" to reference the __parent__
> property of a floating point number to get a Window object reference,
> then calling its eval() to run arbitrary code. IE doesn't support the
> property.
> Browsers: FF
> Reported: June 18, 2008
> Fixed: yes
> Example:
>
>   <script>
>   1.["__parent__"].eval("alert('any javascript here');");
>   </script>
>
>
>
> 5) Injecting JS in video attachments
> Impact: execution of unrestricted JS when a inbox, wall or forum
> message is viewed (mouseclick required)
> Description: When sharing video content with the
> http://www.facebook.com/sharer.php form, some input fields can be
> modified e.g. with JavaScript. The example below can be typed in the
> address bar to inject JS in a message.
> Browsers: FF, IE
> Reported: June 20, 2008
> Fixed: yes
> Example:
>
>  javascript:f=document.forms[0];f['attachment[params][video][src]'].value='#"
> a=b><img src="#" onerror=alert("hello")>
>
>
>
> 6) Escaping JS sandbox with E4X
> Impact: execution of unrestricted JS on canvas pages or profiles
> (mouseclick required on profile pages). Works in browsers supporting
> E4X (Firefox)
> Description: JS parser in browsers supporting E4X understand XML,
> which can contain multi-line strings. Facebook's JS sandbox technology
> didn't expect XML and multi-line strings. The example below
> demonstrates how this could be used to fool the sandbox logic.
> Browsers: FF
> Reported: June 26, 2008
> Fixed: yes
> Example:
>
>   <script>
>   <x x="
>   x" {alert('any javascript')}="x"
>   />
>   </script>
>
>
>
> 7) Escaping JS sandbox
> Impact: execution of unrestricted JS on canvas pages or profiles
> (mouseclick required on profile pages)
> Browsers: FF
> Reported: June 21, 2008
> Fixed: no
>
>
>
> 8) Escaping JS sandbox
> Impact: execution of unrestricted JS on canvas pages or profiles
> (mouseclick required on profile pages)
> Browsers: FF
> Reported: June 21, 2008
> Fixed: no
>
>
>
>
> --
> Jouko Pynnönen <jouko@....fi>
> http://iki.fi/jouko
> Finland
>



-- 
Jouko Pynnönen <jouko@....fi>
http://iki.fi/jouko
Finland

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ