Bugtraq mailing list archives
Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 26 Jul 2009 23:54:03 +0300
Hello Michal! First I note, that when I'll find time, I'll answer at your previous comment about redirection to javascript: URIs in different browsers. Second I note, that, please, write about something new, not about that I already mentioned in my advisory ;-).
"Refresh" or "Location" redirection in Firefox will not bestow a
...
updates - do inherit that context.
I know it. And I mentioned about this in my paragraph "Via data: it's possible to bypass in Firefox ...". In these paragraph I wrote "But in Firefox 3.0.11 and Google Chrome you can't get to cookies this way", which is the same that your wrote, but in more laconic way. And in the same paragraph I wrote "but it's possible in old Mozilla (and in those versions of Firefox where there is relation between data: page and original page)". So there are such browsers which data: URIs from redirectors inherit context of the site. In any case JavaScript execution is dangerous even without relation with original site. Your position is similar to Mozilla's position. And because Mozilla declined to fix this hole due to "lack of inheritance" between data: URI and the site with redirector, and Chrome also has no such inheritance, I didn't send my advisory directly to Google Security Team. And from your declining of this vulnerability, I see that it's Google's official position about this issue. I understand your and Mozilla's position, but I don't agree with you. And I wrote enough (as I was thinking) arguments in my advisory, why it's dangerous and why it need to be fixed. Third, I note that no need to hurry up to write about location redirection in Firefox. Because the day before your comment I posted at my site advisory about this vulnerability in Firefox (and not only in it, but also in Opera). And I'll write separate advisory (when will find time) to Bugtraq about those holes.
This means that there is nothing to be gained by redirecting to data:
Michal, there are always something that bad guys can gain. And they can gain benefits even from data: URL without inheritance with original site. Only just JavaScript execution (of evil code) is dangerous. Like I said to Mozilla, cookie stealing (and such things as access to DOM) is only one vector, there are other vectors of attacks. As I mentioned in advisory, it can be used particularly for malware spreading.
he could as well just redirect to his own site and run any potentially malicious JavaScript there.
First he need to have his web site (with malicious JS code) and then he need to redirect users to it. With this hole in different browsers new attack vectors appears - no need to redirect to any site, just execute JS code from redirector. Bad guys even no need to have their bad sites, just use all vulnerable redirectors (so they can't be closed, so they have no such risk and for this reason it'll be harder to stop such malware spreading, because there will be no site to close, and no site to block with antifishing lists). And there are a lot of vulnerable redirectors in Internet. I planned to write an article about JavaScript Execution attacks in different browsers via different redirectors to draw attention of Internet community to this problem. Didn't write it in last two weeks, but I'd do it in near time. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua----- Original Message ----- From: "Michal Zalewski" <lcamtuf () coredump cx>
To: "MustLive" <mustlive () websecurity com ua> Cc: <bugtraq () securityfocus com> Sent: Wednesday, July 15, 2009 11:00 PM Subject: Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome
To bypass protection from JavaScript code execution via refresh header it's needed to use data: URI, which will be containing requisite JS code. [...] After I informed Mozilla, they declined to fix this vulnerability."Refresh" or "Location" redirection in Firefox will not bestow a security context derived from the referring site upon the executed code. This is different from the behavior on javascript: URLs. Granted, it and also somewhat counterintuitive, as other types of data: navigation - e.g., link navigation, IFRAMEd content, location.* updates - do inherit that context. This means that there is nothing to be gained by redirecting to data: through www.example.com; he could as well just redirect to his own site and run any potentially malicious JavaScript there. /mz
!DSPAM:4a6ccdc2221422067717600!
Current thread:
- Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome MustLive (Jul 15)
- Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome Michal Zalewski (Jul 15)
- Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome MustLive (Jul 27)
- <Possible follow-ups>
- Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome advisories (Jul 16)
- Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome MustLive (Jul 28)
- Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome Michal Zalewski (Jul 15)