Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Netscape cross domain security hole

From: Henri Torgemane <henri_torgemane () yahoo com>
Date: Thu, 10 Jan 2002 19:56:25 -0800 (PST)
Well yes and no.

Netscape does have cross-domain security mechanisms.
so w=open("http://www.far-away.com";);alert(w.document.cookie);
will fail because of that mechanism.
Netscape protects parts of the DOM that are likely to contain sensitive
stuff. That includes the location object, any form object, and I think
m ost, if not all, of the document object.

However, it doesn't block access to user-defined members of another
page on another domain.
So theorically, one could imagine a site A with a form, and a
validation script that stores some of the form content in global
variable, and an evil site B that gets open a window to site A and talk
the user into filling the form, then keep polling specific global
variables in hope to steal some data.
Coming up with a practical attack is another matter.


Hope that helps,
Henri




--- Avi Mozes <amozes () hotmail com> wrote:



I found out that Netscape doesn't have security when 
it comes to accessing sites from domain to domain.  
This seems to work in 4.7x -- I have not tried it out yet 
in Netscape 6.  What this hole allows you to do is run 
any Javascript (and VBScript) functions on any site 
as well as change values of global variables.  This 
allows you to run functions that you shouldn't run or 
set variables to values that could damage or allow 
you to access information.  

The way it's done: have a page open (with a simple 
window.open command using a window handle) any 
site.  
To run a function, run on the parent page:
winhandle.function(param);
To change any variable:
winhandle.var = value;

One exploit is with cookies where you are able to get 
and set cookies if the site has cookie functions.  This 
will make it able for you to set cookies from that 
domain.  If a site relies on Javascript or cookies for 
some point of thier security system, this could be 
even more damaging.  And lastly, it can grab user 
information if a user uses a page with this exploit and 
continues to another domain opened by the page.

Let me know your ideas on this.
Avi
amozes () hotmail com



__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/
Previous By Date Next
Previous By Thread Next

Current thread: