lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 21 Oct 2010 19:06:27 -0700
From: Chris Evans <scarybeasts@...il.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Internet Explorer 8 PoC: window.onerror leak
 leads to surge in interest in goat farming?

Hi,

Internet Explorer has a cross-origin leak through the window.onerror
callback.
At first glance, it's a minor leak but if you look around you can find a
significant impact on some subset of websites.

I wrote up more thorough details on how the attack works here:
http://scarybeastsecurity.blogspot.com/2010/10/minor-leak-major-headache.html

I also provided a PoC against Google Reader; the victim has their anti-XSRF
token stolen and this is used to force them to subscribe to a feed on goat
farming: http://scary.beasts.org/misc/reader.html

(Unfortunately -- or fortunately depending upon you point of view -- the PoC
is neutered because the Reader team elected to work around the IE
vulnerability for now).

The vulnerability remains unfixed in production versions of IE and is
approaching 2 years old since vendor notification. This would make this a
600-day disclosure. It would be inaccurate to use the term "0-day", although
misuse of that term is somewhat rampant.

Security-conscious users may wish to prefer the Firefox browser over
Internet Explorer; the timeline in the blog post shows two very different
vendor responses to the exact same cross-origin leak.


Cheers
Chris

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ