lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 21 Apr 2010 23:18:08 +0400
From: Владимир Воронцов
	<vladimir.vorontsov@...ec.ru>
To: Full disclosure <full-disclosure@...ts.grok.org.uk>
Subject: IE8 img tag HiJacking

Hello Full disclosure!

Once again, unwinding theme HiJacking found a fun way to get the very
least information about the target resource when the user is located at the
attacker. 

Already crocked <img> tag opens new opportunities using the method
fileSize, described here: http://msdn.microsoft.com/en-us/library/ms533752
(v = VS.85). Aspx 

Consider a simple example - a Web application after authentication
provides some sort of picture for the user, for example: 

http://example.com/getImage.php?image=myAvatar 

The attacker, knowing this can create a page to read: 

<img id="onsec" src="http://example.com/getImage.php?image=myAvatar"> 

<input type="button" onclick="if (onsec.fileSize> 0) (alert ('authorized
on example.com') else (alert ('not authorized on example.com')}"> 

Thus, the attacker learns the simplest case, whether the target user
access to example.com. 

Continuing the theme, I want to note that in some cases, can obtain
additional information from the very values of the size of the picture. It
can be any logical information Web applications, say, the same script can
show administrators a picture of the same size, and users - of another.
Thus, we obtain the user rights. And so on. 

I'd like to return the size of the method is not only "valid" images, but
also HTML pages, JSON, etc. But, unfortunately, does not work. Maybe, of
course, there are exceptions, call to investigate the matter. 

I have some thoughts on the study of vector images in XML format, because
HTML is often valid XML, and then ... 

Check for the test version IE9, but he did not support SVG inside tag
<img>, but only as a separate tag. 

Works in IE8, in Opera 10.52 does not work on check writing, if not
difficult.

Original at russian language: http://oxod.ru/?p=113

-- 
Best regards, 
Vladimir Vorontsov
ONsec security expert

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ