lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <53D92929.2010904@securify.nl>
Date: Wed, 30 Jul 2014 19:19:37 +0200
From: "Securify B.V." <lists@...urify.nl>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Bypassing Content-Disposition: attachment for XSS on
 Chrome/Safari(IOS 6.x)

Attached is a screenshot that demonstrates this issue on Yahoo! Mail. 
Despite the Content-Disposition header, (HTML) attachments are rendered 
by Mobile Safari.


On 30-07-14 19:01, Securify B.V. wrote:
> This issue was originally reported as CVE-2011-3426. We can confirm 
> that Mobile Safari on iOS 7.1.2 is still affected. We've reported this 
> to Apple on February 25, 2014. You can test is yourself at:
> http://www.securify.nl/cve-2011-3426.html
>
> This test page sets the following HTTP headers:
>
> Content-Disposition: attachment;filename=cve-2011-3426.html
> Content-Type: application/octet-stream
>
> With kind regards,
>
> Yorick
>
>
> On di, 2014-07-29 at 15:56 +0800, heige wrote:
> >
> > > > Bypassing Content-Disposition: attachment for XSS on 
> Chrome/Safari(IOS)
> > > >
> > > > by Superhei of KnownSec team (www.knownsec.com) 2013.6.3
> > > >
> > > > Test Environment
> > > > ipad(ios 6.1.3)
> > > > Chrome(26.0.1410.53)
> > > >
> > > > This code is downloader for attachment which is a HTML file.
> > > >
> > > > <?php
> > > > //down.php
> > > > header("Content-Type:text/plain");
> > > > //header("Content-Type:text/html");
> > > > header("Content-Disposition: attachment; filename=\"test.html\"");
> > > > echo "<html><script>alert(1)</script></html>";
> > > > ?>
> > > >
> > > > On IOS , when Chrome/Safari visit the down.php, the HTML code 
> will be running.Ofcourse, including the javascript and led to 
> cross-site scripting attacks.
> > > >
> > >
> > from http://www.80vul.com/apple.txt

Download attachment "cve-2011-3426_mobilesafari_yahoo.png" of type "image/png" (74148 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists