lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CANXgde45vSgPMmdViAbe0OZ7p6zpnOsjZGqr3=tcMDeaRu3Xfg@mail.gmail.com>
Date: Thu, 31 Jul 2014 13:23:44 +0200
From: Ɓukasz Pilorz <lpilorz@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Bypassing Content-Disposition: attachment for XSS on
 Chrome/Safari(IOS 6.x)

Hi Yorick,
this is interesting, but as far as I know, since iOS 5 CVE-2011-3426 no
longer allows cross-site scripting in Safari:
http://support.apple.com/kb/HT4999
"This issue is addressed by loading attachments in an isolated security
origin with no access to resources on other sites."

While JavaScript is executed, it has no access to the origin of the hosting
site, apart from access to location and referrer values. Additionally,
Yahoo seems to present this attachment in a separate domain without access
to user's session, which also stops practical XSS exploitation.

Related test cases:
https://ios.browsr-tests.com/alt/downloads.php

There are some iOS browsers vulnerable in this case, but in Safari the
hosting website will be vulnerable only if it passes session ids or other
sensitive data in URLs (location/referrer of the download).

Cheers,
Lukasz
@runicpl


> Attached is a screenshot that demonstrates this issue on Yahoo! Mail. Despite
the Content-Disposition header, (HTML) attachments are renderedby Mobile
Safari.

On 30-07-14 19:01, Securify B.V. wrote:

This issue was originally reported as CVE-2011-3426. We can confirm that
Mobile Safari on iOS 7.1.2 is still affected. We've reported this to Apple
on February 25, 2014. You can test is yourself at:

http://www.securify.nl/cve-2011-3426.html

This test page sets the following HTTP headers:

Content-Disposition: attachment;filename=cve-2011-3426.html
Content-Type: application/octet-stream

With kind regards,

Yorick


On di, 2014-07-29 at 15:56 +0800, heige wrote:
>

> > > Bypassing Content-Disposition: attachment for XSS on
Chrome/Safari(IOS)

> > >
> > > by Superhei of KnownSec team (www.knownsec.com) 2013.6.3
> > >
> > > Test Environment
> > > ipad(ios 6.1.3)
> > > Chrome(26.0.1410.53)
> > >
> > > This code is downloader for attachment which is a HTML file.
> > >
> > > <?php
> > > //down.php
> > > header("Content-Type:text/plain");
> > > //header("Content-Type:text/html");
> > > header("Content-Disposition: attachment; filename=\"test.html\"");
> > > echo "<html><script>alert(1)</script></html>";
> > > ?>
> > >

> > > On IOS , when Chrome/Safari visit the down.php, the HTML code will be
running.Ofcourse, including the javascript and led to cross-site scripting
attacks.

> > >
> >
> from http://www.80vul.com/apple.txt

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ