Full Disclosure mailing list archives
Cross-Site Scripting Attacks Possible At Multiple Webspace Provid ers
From: full-disclosure () lists netsys com (Berend-Jan Wever)
Date: Tue, 06 Aug 2002 10:30:28 +0200
This is a multi-part message in MIME format. --Boundary_(ID_Kq9GhWB5ex2MW5Uw1ImRVg) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: QUOTED-PRINTABLE I thought this was as widely known as the ability to spoof the sender= address in emails. Like you said: "The same-origin policy that is us= ed to avoid cross-frame security violations is completely compromised" because it= all comes from the same origin. Maybe people just don't know, but i've known this since I first learn= ed about browser script security. Berend-Jan Wever aka SkyLined http://spoor12.edup.tudelft.nl ----- Original Message -----=20 From: Matthew Murphy=20 To: Vuln-Dev ; SecurITeam News ; Full Disclosure ; BugTraq=20 Sent: Tuesday, August 06, 2002 6:19 Subject: [Full-disclosure] Cross-Site Scripting Attacks Possible At= Multiple Webspace Provid ers Issue: Multiple web space providers are susceptible to script-based= origin validation attacks. Impact: Cookie theft, page manipulation, ... Additional Information: http://www.murphy.101main.net/vulns/2002-24= .txt Many web space providers offer their users web space by way of a folder-based URL, something like this: http://www.domain.com/community/uid An interesting scenario occurs when pages are visited on (commonpla= ce) JavaScript-enabled browsers. The same-origin policy that is used t= o avoid cross-frame security violations is completely compromised, as the o= nly difference in these URLs to the browser is folder/virtual paths, no= t sufficient for a same-origin violation. This vulnerability allows = anyone who can create a webspace account on the host to manipulate the app= earance of other hosted sites provided the victim can be coaxed to a page u= nder their control. This allows for typical cross-domain scripting attacks (stealing co= okies, reading form data, ...), which could be pretty devastating, as one = site instantly has access to the guts of a few thousand (million?) other= s. I have confirmed that Terra Lycos' AngelFire service is vulnerable,= and also Yahoo! Geocities is believed susceptible. It is very likely that o= thers are vulnerable. "The reason the mainstream is thought of as a stream is because it is so shallow." - Author Unknown -------------------------------------------------------------------= -- This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the takin= g of any action based on it, is strictly prohibited. _______________________________________________ Full-Disclosure - We believe in it. Full-Disclosure () lists netsys com http://lists.netsys.com/mailman/listinfo/full-disclosure --Boundary_(ID_Kq9GhWB5ex2MW5Uw1ImRVg) Content-type: text/html; charset=iso-8859-1 Content-transfer-encoding: QUOTED-PRINTABLE <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8= 859-1"> <META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ecfaff> <DIV><FONT face=3DArial size=3D2>I thought this was as widely known a= s the ability=20 to spoof the sender address in emails. Like you said: <FONT size=3D3>= "The=20 same-origin policy that is used to avoid<BR>cross-frame security viol= ations is=20 completely compromised</FONT><FONT size=3D2>" because it all comes fr= om the same=20 origin.</FONT></FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Maybe people just don't know, but i'= ve known this=20 since I first learned about browser script security.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Berend-Jan Wever aka SkyLined</FONT>= </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"http://spoor12.edup.tudelft.nl";>http://spoor12.edup.tudelft.n= l</A></FONT></DIV> <BLOCKQUOTE=20 style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BOR= DER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px"> <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV> <DIV=20 style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black">= <B>From:</B>=20 <A title=3Dmattmurphy () kc rr com href=3D"mailto:mattmurphy () kc rr com= ">Matthew=20 Murphy</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A title=3Dvuln-dev@secu= rityfocus.com=20 href=3D"mailto:vuln-dev () securityfocus com">Vuln-Dev</A> ; <A=20 title=3Dnews () securiteam com href=3D"mailto:news () securiteam com">Sec= urITeam=20 News</A> ; <A title=3Dfull-disclosure () lists netsys com=20 href=3D"mailto:full-disclosure () lists netsys com">Full Disclosure</A=
; <A=20
title=3Dbugtraq () securityfocus com=20 href=3D"mailto:bugtraq () securityfocus com">BugTraq</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Tuesday, August 06, 20= 02 6:19</DIV> <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [Full-Disclosure] C= ross-Site=20 Scripting Attacks Possible At Multiple Webspace Provid ers</DIV> <DIV><BR></DIV>Issue: Multiple web space providers are susceptible = to=20 script-based origin<BR>validation attacks.<BR>Impact: Cookie theft,= page=20 manipulation, ...<BR>Additional Information: <A=20 href=3D"http://www.murphy.101main.net/vulns/2002-24.txt";>http://www= .murphy.101main.net/vulns/2002-24.txt</A><BR><BR>Many=20 web space providers offer their users web space by way of a<BR>fold= er-based=20 URL, something like this:<BR><BR><A=20 href=3D"http://www.domain.com/community/uid";>http://www.domain.com/= community/uid</A><BR><BR>An=20 interesting scenario occurs when pages are visited on=20 (commonplace)<BR>JavaScript-enabled browsers. The same-origin= policy=20 that is used to avoid<BR>cross-frame security violations is complet= ely=20 compromised, as the only<BR>difference in these URLs to the browser= is=20 folder/virtual paths, not<BR>sufficient for a same-origin violation= . =20 This vulnerability allows anyone<BR>who can create a webspace accou= nt on the=20 host to manipulate the appearance<BR>of other hosted sites provided= the victim=20 can be coaxed to a page under<BR>their control.<BR><BR>This allows = for typical=20 cross-domain scripting attacks (stealing cookies,<BR>reading form d= ata, ...),=20 which could be pretty devastating, as one site<BR>instantly has acc= ess to the=20 guts of a few thousand (million?) others.<BR><BR>I have confirmed t= hat Terra=20 Lycos' AngelFire service is vulnerable, and also<BR>Yahoo! Geocitie= s is=20 believed susceptible. It is very likely that others=20 are<BR>vulnerable.<BR><BR>"The reason the mainstream is thought<BR>= of as a=20 stream is because it is<BR>so=20 shallow."<BR> = = =20 - Author=20 Unknown<BR>--------------------------------------------------------= -------------<BR><BR>This=20 message (including any attachments) contains confidential<BR> = information=20 intended for a specific individual and purpose, and<BR> is pro= tected by=20 law. If you are not the intended recipient, you<BR> should del= ete this=20 message and are hereby notified that any<BR> disclosure, copyi= ng, or=20 distribution of this message, or the taking<BR> of any action = based on=20 it, is strictly=20 prohibited.<BR><BR><BR><BR>________________________________________= _______<BR>Full-Disclosure=20 - We believe in it.<BR><A=20 href=3D"mailto:Full-Disclosure () lists netsys com">Full-Disclosure@li= sts.netsys.com</A><BR><A=20 href=3D"http://lists.netsys.com/mailman/listinfo/full-disclosure";>h= ttp://lists.netsys.com/mailman/listinfo/full-disclosure</A><BR></BLOC= KQUOTE></BODY></HTML> --Boundary_(ID_Kq9GhWB5ex2MW5Uw1ImRVg)--
Current thread:
- Cross-Site Scripting Attacks Possible At Multiple Webspace Providers Matthew Murphy (Aug 05)
- Cross-Site Scripting Attacks Possible At Multiple Webspace Provid ers Berend-Jan Wever (Aug 06)
- Cross-Site Scripting Attacks Possible At Multiple Webspace Provid ers Matthew Murphy (Aug 06)
- Cross-Site Scripting Attacks Possible At Multiple Webspace Provid ers Berend-Jan Wever (Aug 06)