lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <448e9a320909160007v242c8c0ck429deb2cec6885bf@mail.gmail.com>
Date: Wed, 16 Sep 2009 00:07:08 -0700
From: Michal Zalewski <lcamtuf@...edump.cx>
To: Inferno <inferno@...urethoughts.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Exploiting Chrome and Opera's inbuilt
	ATOM/RSS reader with Script Execution and more

> Back in 2006, there was interesting research done by James Holderness[1] and
> James M. Snell[2] which uncovered a variety of XSS issues in various online
> feed aggregator services (e.g. Feed Demon). The vulnerability arises from
> the fact that it is not expected of RSS readers to render scripted content.
> I want to extend that research by doing threat analysis on inbuilt feed
> readers offered in most modern browsers. I have found Google Chrome (v2,3)
> and Opera (v9,v10) to be vulnerable, while Internet Explorer(v7,8), Firefox
> 3.5 and Safari 4 are resilient to the exploits mentioned below.

To be precise, Chrome does *not* have a built-in feed reader, and
instead, attempts to render the payload as a generic XML/HTML document
- which causes the behavior observed. The behavior of Chrome, MSIE6,
and Opera is actually covered for a longer while in Browser Security
Handbook:

http://code.google.com/p/browsersec/wiki/Part1#Other_built-in_document_formats

More specifically, this is outlined in the "Is generic XML document
support present?", "Is RSS feed support present?", "Is ATOM feed
support present?", "Does JavaScript execute within feeds?", and "Are
javascript: or data: URLs permitted in feeds?" tests.

There are also some interesting details related to SVG and other XML
formats along these same lines.

Cheers,
/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ