Full Disclosure mailing list archives
Cross-Site Scripting attacks via redirectors in different browsers
From: "MustLive" <mustlive () bridgeoflove com ua>
Date: Thu, 17 Sep 2009 21:34:03 +0300
Hello Full-Disclosure! I already sent this letter to Bugtraq at 6th of September, but they declined to post it without any explanation - maybe it was due to some politic reasons :-). Will see how it'll be with your list. At the end of July I published my article Cross-Site Scripting attacks via redirectors (http://websecurity.com.ua/3376/). And at 4th of August I published English version of my article (http://websecurity.com.ua/3386/). In this article I wrote about using of redirectors in different browsers for conducting of Cross-Site Scripting attacks. In the article I wrote about XSS attacks in location-header and refresh-header redirectors in different browsers: Mozilla 1.7.x, Mozilla Firefox 3.x, Internet Explorer (IE6), Opera 9.x and Google Chrome 1.x. And after additional research in August I found that next browsers are also vulnerable: Google Chrome 2.x and 3.x, QtWeb, Safari, Opera 10.00 Beta 3, SeaMonkey, Firefox 3.6 a1 pre, Firefox 3.7 a1 pre, Orca Browser and Maxthon 3 Alpha. I wrote about five method of attacks in the article (via location-header and refresh-header redirectors) - about four of them I already posted in Bugtraq. In this letter I'll inform you about new vulnerable browsers to those vulnerabilities which I wrote to Bugtraq before. So in my article Cross-Site Scripting attacks via redirectors (http://websecurity.com.ua/3386/) I wrote about five attack vectors: Attack #1 - via refresh-header redirector to javascript: URI (http://www.securityfocus.com/archive/1/504718). Attack #2 - via refresh-header redirector to data: URI (http://www.securityfocus.com/archive/1/504972/30/300/threaded). Attack #3 - via location-header redirector to data: URI (http://www.securityfocus.com/archive/1/505479/30/270/threaded). Attack #4 - via location-header redirector (which use answer "302 Object moved") to javascript: URI (http://www.securityfocus.com/archive/1/506163) Attack #5 - via location-header redirector (which uses any 301 and 302 answers) to javascript: URI. After first release of the article, I found new vulnerable browsers with help of Aung Khant from YEHG Team. The next browsers are also vulnerable: Mozilla Firefox 3.0.13 - vulnerable to attacks #2,3,4. Google Chrome 2.0.172.28, 2.0.172.37 and 3.0.193.2 Beta - vulnerable to attacks #1,2. QtWeb 3.0 Build 001 and 3.0 Build 003 - vulnerable to attacks #1,2,3. Safari 4.0.3 - vulnerable to attacks #1,2. Opera 10.00 Beta 3 Build 1699 - vulnerable to attacks #1,3. SeaMonkey 1.1.17 - vulnerable to attacks #1,2,4. Firefox 3.6 a1 pre - vulnerable to attacks #1,2,3,4. Firefox 3.7 a1 pre - vulnerable to attacks #2,3,4. Orca Browser 1.2 build 5 - vulnerable to attacks #2,3,4. Maxthon 3 Alpha (3.0.0.145) with Ultramode (Apple’s WebKit emulation) - vulnerable to attacks #1,2. And also vulnerable to attacks #3,4,5 as Strictly social XSS. Maxthon 3 Alpha is only browser vulnerable to attack #5 (for now). Attack #5 is similar to attack #4, just works in all location-header redirectors. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Cross-Site Scripting attacks via redirectors in different browsers MustLive (Sep 17)
- Re: Cross-Site Scripting attacks via redirectors in different browsers darky (Sep 18)
- Re: Cross-Site Scripting attacks via redirectors in different browsers Tõnu Samuel (Sep 20)
- Re: Cross-Site Scripting attacks via redirectors in different browsers MustLive (Sep 22)