| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Sep 2009 21:34:03 +0300 From: "MustLive" <mustlive@...dgeoflove.com.ua> To: <full-disclosure@...ts.grok.org.uk> Subject: Cross-Site Scripting attacks via redirectors in different browsers Hello Full-Disclosure! I already sent this letter to Bugtraq at 6th of September, but they declined to post it without any explanation - maybe it was due to some politic reasons :-). Will see how it'll be with your list. At the end of July I published my article Cross-Site Scripting attacks via redirectors (http://websecurity.com.ua/3376/). And at 4th of August I published English version of my article (http://websecurity.com.ua/3386/). In this article I wrote about using of redirectors in different browsers for conducting of Cross-Site Scripting attacks. In the article I wrote about XSS attacks in location-header and refresh-header redirectors in different browsers: Mozilla 1.7.x, Mozilla Firefox 3.x, Internet Explorer (IE6), Opera 9.x and Google Chrome 1.x. And after additional research in August I found that next browsers are also vulnerable: Google Chrome 2.x and 3.x, QtWeb, Safari, Opera 10.00 Beta 3, SeaMonkey, Firefox 3.6 a1 pre, Firefox 3.7 a1 pre, Orca Browser and Maxthon 3 Alpha. I wrote about five method of attacks in the article (via location-header and refresh-header redirectors) - about four of them I already posted in Bugtraq. In this letter I'll inform you about new vulnerable browsers to those vulnerabilities which I wrote to Bugtraq before. So in my article Cross-Site Scripting attacks via redirectors (http://websecurity.com.ua/3386/) I wrote about five attack vectors: Attack #1 - via refresh-header redirector to javascript: URI (http://www.securityfocus.com/archive/1/504718). Attack #2 - via refresh-header redirector to data: URI (http://www.securityfocus.com/archive/1/504972/30/300/threaded). Attack #3 - via location-header redirector to data: URI (http://www.securityfocus.com/archive/1/505479/30/270/threaded). Attack #4 - via location-header redirector (which use answer "302 Object moved") to javascript: URI (http://www.securityfocus.com/archive/1/506163) Attack #5 - via location-header redirector (which uses any 301 and 302 answers) to javascript: URI. After first release of the article, I found new vulnerable browsers with help of Aung Khant from YEHG Team. The next browsers are also vulnerable: Mozilla Firefox 3.0.13 - vulnerable to attacks #2,3,4. Google Chrome 2.0.172.28, 2.0.172.37 and 3.0.193.2 Beta - vulnerable to attacks #1,2. QtWeb 3.0 Build 001 and 3.0 Build 003 - vulnerable to attacks #1,2,3. Safari 4.0.3 - vulnerable to attacks #1,2. Opera 10.00 Beta 3 Build 1699 - vulnerable to attacks #1,3. SeaMonkey 1.1.17 - vulnerable to attacks #1,2,4. Firefox 3.6 a1 pre - vulnerable to attacks #1,2,3,4. Firefox 3.7 a1 pre - vulnerable to attacks #2,3,4. Orca Browser 1.2 build 5 - vulnerable to attacks #2,3,4. Maxthon 3 Alpha (3.0.0.145) with Ultramode (Appleās WebKit emulation) - vulnerable to attacks #1,2. And also vulnerable to attacks #3,4,5 as Strictly social XSS. Maxthon 3 Alpha is only browser vulnerable to attack #5 (for now). Attack #5 is similar to attack #4, just works in all location-header redirectors. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists