[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome

To: MustLive <mustlive@xxxxxxxxxxxxxxxxxx>
Subject: Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome
From: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
Date: Wed, 15 Jul 2009 13:00:40 -0700

> To bypass protection from JavaScript code execution via refresh header it's
> needed to use data: URI, which will be containing requisite JS code.
> [...] After I informed Mozilla, they declined to fix this vulnerability.

"Refresh" or "Location" redirection in Firefox will not bestow a
security context derived from the referring site upon the executed
code. This is different from the behavior on javascript: URLs.
Granted, it and also somewhat counterintuitive, as other types of
data: navigation - e.g., link navigation, IFRAMEd content, location.*
updates - do inherit that context.

This means that there is nothing to be gained by redirecting to data:
through www.example.com; he could as well just redirect to his own
site and run any potentially malicious JavaScript there.

/mz

Follow-Ups:
- Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome
  - From: MustLive

References:
- Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome
  - From: MustLive

Prev by Date: iDefense Security Advisory 07.15.09: Microsoft Office Publisher 2007 Arbitrary Pointer Dereference Vulnerability
Next by Date: Update: [TZO-06-2009] IBM Proventia - Generic bypass (Limited disclosure - see details)
Previous by thread: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome
Next by thread: Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome
Index(es):
- Date
- Thread