|
Hello Bugtraq!
I want to warn you about Cross-Site Scripting vulnerability in Mozilla
Firefox, Opera and other browsers. It allows to bypass protection from
executing of JavaScript code in location-header redirectors (by redirecting
to javascript: URI).
Recently, 04.08.2010, I wrote about vulnerability in Mozilla and Mozilla
Firefox at my site. I made full disclosure because Mozilla completely
ignored similar vulnerability, which I informed them in August 2009, like
all other vulnerabilities in Firefox which I wrote in 2009 in my article
Cross-Site Scripting attacks via redirectors
(http://websecurity.com.ua/3386/). After that release I made additional
checks of this vulnerability in different browsers and found that Opera
10.53 is vulnerable (to new and old holes), at that version Opera 9.52 was
not vulnerable. It looks like Opera ignored my article Cross-Site Scripting
attacks via redirectors and those two vulnerabilities (two attack vectors
via redirectors), which I told them about in 2009, and added two new attack
vectors via redirectors.
Earlier I already wrote about Cross-Site Scripting vulnerability in Mozilla,
Firefox and other browsers (http://websecurity.com.ua/3373/) (CVE-2009-3014)
via redirectors with answer "302 Object moved". As I recently checked,
besides earlier mentioned vulnerable browsers also the next browsers are
vulnerable: Firefox 3.0.19, Firefox 3.5.11, Firefox 3.6.8, Firefox 4.0b2 and
Opera 10.53 (at that version Opera 9.52 isn't vulnerable). Recently I
informed Mozilla and Opera about these issues in their browsers.
In Firefox at the sites, which use answer "302 Found" in redirectors, at
request to location-header redirector with setting of JavaScript code, the
browser will show "Found" page, where there is this code in the link =93here=94.
At click on which the code will execute. I.e. it is Strictly social XSS, and
also this is one more example of Local XSS
(http://websecurity.com.ua/4219/).
XSS:
With request to script at web site:
http://site/script.php?param=javascript:alert(document.cookie)
Which returns in answer the Location header:
HTTP/1.x 302 Found
Location: javascript:alert(document.cookie)
The browser will show =93Found=94 page. At click on the link =93here=94 the code
will execute in context of this site.
Besides javascript URI also it's possible to use data URI for executing of
JS-code, if redirector outputs in Location header the chars ";" and "," in
plain (not in URL encoding) form.
Also in all versions of Mozilla and Mozilla Firefox it's possible to use
another variant of Strictly social XSS - with using of -moz-binding (for
Firefox < 3.0 or for Firefox => 3.0 with xml-file on the same site) or with
using of onMouseOver:
http://site/script.php?param=a:%22%20onMouseOver=%22alert(document.cookie)
At moving of the cursor on the link =93here=94 the code will execute in context
of this site.
And if to use my MouseOverJacking technique
(http://websecurity.com.ua/3814/), then it's possible to automate this
attack in all versions of Mozilla and Mozilla Firefox (especially when using
of -moz-binding isn't possible):
http://site/script.php?param=a:%22%20style=%22width:100%25;height:100%25;display:block;position:absolute;top:0px;left:0px%22%20onMouseOver=%22alert(document.cookie)
This attack is possible only if redirector (with "302 Found" or "302 Object
moved" answer) outputs double quote in Location header in plain (not in URL
encoding) form.
Affected software:
Vulnerable are Mozilla 1.7.x and previous versions.
Vulnerable are Mozilla Firefox 3.0.19, Firefox 3.5.11, Firefox 3.6.8,
Firefox 4.0b2 and previous versions.
Vulnerable are Opera 10.53 and potentially all 10.x versions (at that
version Opera 9.52 isn't vulnerable).
As in case of XSS via redirectors with answer "302 Object moved", to this
vulnerability also must be vulnerable the next browsers: SeaMonkey 1.1.17,
Firefox 3.7 a1 pre, Orca Browser 1.2 build 5 and Maxthon 3 Alpha (3.0.0.145)
with Ultramode.
I mentioned about this vulnerability at my site
(http://websecurity.com.ua/4432/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua