[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTikyKv1trS=hQU47GophovhbDc6Cu_sVv-+e5=ob@mail.gmail.com>
Date: Mon, 9 Aug 2010 16:16:20 +0200
From: "Jan G.B." <ro0ot.w00t@...glemail.com>
To: MustLive <mustlive@...security.com.ua>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Cross-Site Scripting vulnerability in Mozilla
Firefox, Opera and other browsers
Hi MustLive,
I can not reproduce this on Firefox 3.6.8. When a test-application
with one line of code gives the redirect, then nothing happens.
No page with a "here" link and no alert and whatnot.
maybe it's just your proxy or so..
<?php header(sprintf('Location: %s', $_GET['redir']), 302); ?>
/site.php?redir=javascript:alert(document.cookie)
=> Result: A blank page
2010/8/8 MustLive <mustlive@...security.com.ua>:
> Hello Full-Disclosure!
>
> I want to warn you about Cross-Site Scripting vulnerability in Mozilla
> Firefox, Opera and other browsers. It allows to bypass protection from
> executing of JavaScript code in location-header redirectors (by redirecting
> to javascript: URI).
>
> Recently, 04.08.2010, I wrote about vulnerability in Mozilla and Mozilla
> Firefox at my site. I made full disclosure because Mozilla completely
> ignored similar vulnerability, which I informed them in August 2009, like
> all other vulnerabilities in Firefox which I wrote in 2009 in my article
> Cross-Site Scripting attacks via redirectors
> (http://websecurity.com.ua/3386/). After that release I made additional
> checks of this vulnerability in different browsers and found that Opera
> 10.53 is vulnerable (to new and old holes), at that version Opera 9.52 was
> not vulnerable. It looks like Opera ignored my article Cross-Site Scripting
> attacks via redirectors and those two vulnerabilities (two attack vectors
> via redirectors), which I told them about in 2009, and added two new attack
> vectors via redirectors.
>
> Earlier I already wrote about Cross-Site Scripting vulnerability in Mozilla,
> Firefox and other browsers (http://websecurity.com.ua/3373/) (CVE-2009-3014)
> via redirectors with answer "302 Object moved". As I recently checked,
> besides earlier mentioned vulnerable browsers also the next browsers are
> vulnerable: Firefox 3.0.19, Firefox 3.5.11, Firefox 3.6.8, Firefox 4.0b2 and
> Opera 10.53 (at that version Opera 9.52 isn't vulnerable). Recently I
> informed Mozilla and Opera about these issues in their browsers.
>
> In Firefox at the sites, which use answer "302 Found" in redirectors, at
> request to location-header redirector with setting of JavaScript code, the
> browser will show "Found" page, where there is this code in the link “here”.
> At click on which the code will execute. I.e. it is Strictly social XSS, and
> also this is one more example of Local XSS
> (http://websecurity.com.ua/4219/).
>
> XSS:
>
> With request to script at web site:
>
> http://site/script.php?param=javascript:alert(document.cookie)
>
> Which returns in answer the Location header:
>
> HTTP/1.x 302 Found
> Location: javascript:alert(document.cookie)
>
> The browser will show “Found” page. At click on the link “here” the code
> will execute in context of this site.
>
> Besides javascript URI also it's possible to use data URI for executing of
> JS-code, if redirector outputs in Location header the chars ";" and "," in
> plain (not in URL encoding) form.
>
> Also in all versions of Mozilla and Mozilla Firefox it's possible to use
> another variant of Strictly social XSS - with using of -moz-binding (for
> Firefox < 3.0 or for Firefox => 3.0 with xml-file on the same site) or with
> using of onMouseOver:
>
> http://site/script.php?param=a:%22%20onMouseOver=%22alert(document.cookie)
>
> At moving of the cursor on the link “here” the code will execute in context
> of this site.
>
> And if to use my MouseOverJacking technique
> (http://websecurity.com.ua/3814/), then it's possible to automate this
> attack in all versions of Mozilla and Mozilla Firefox (especially when using
> of -moz-binding isn't possible):
>
> http://site/script.php?param=a:%22%20style=%22width:100%25;height:100%25;display:block;position:absolute;top:0px;left:0px%22%20onMouseOver=%22alert(document.cookie)
>
> This attack is possible only if redirector (with "302 Found" or "302 Object
> moved" answer) outputs double quote in Location header in plain (not in URL
> encoding) form.
>
> Affected software:
>
> Vulnerable are Mozilla 1.7.x and previous versions.
>
> Vulnerable are Mozilla Firefox 3.0.19, Firefox 3.5.11, Firefox 3.6.8,
> Firefox 4.0b2 and previous versions.
>
> Vulnerable are Opera 10.53 and potentially all 10.x versions (at that
> version Opera 9.52 isn't vulnerable).
>
> As in case of XSS via redirectors with answer "302 Object moved", to this
> vulnerability also must be vulnerable the next browsers: SeaMonkey 1.1.17,
> Firefox 3.7 a1 pre, Orca Browser 1.2 build 5 and Maxthon 3 Alpha (3.0.0.145)
> with Ultramode.
>
> I mentioned about this vulnerability at my site
> (http://websecurity.com.ua/4432/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists