[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Global *.net XSS, thank you Verisign(TM)

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Global *.net XSS, thank you Verisign(TM)
From: Scott Manley <djsnm@xxxxxxxxx>
Date: Tue, 16 Sep 2003 11:17:20 -0700

Richard M. Smith wrote:

VeriSign should fix their bug, but I don't see the danger of a
cross-site scripting error at a non-existent domain.  The scripting code
can't really do anything at the Web site........

Indeed, but it is exploitable in some cases where the user is using an http proxy, since there are 2 url parsers involved. If anyone remembers the rather neat Analog-X/IE Global XSS you can probably find the same issue with almost any proxy.

I've not tested, but.... the Analog-X URL parser looks for a ':' or a '\' as a terminator for the domain name, while IE looks for any character which isn't part of a legal domain name.

So you can get cookies from *any* domain by doing things like

http://www.msn.com";alert('slut');".net

In theory IE parses this to the msn.com domain and the proxy parses this to the www.msn.com";alert('slut');".net domain.

Again - it all depends on the proxy and the browser disagreeing on the URL parsing.

Scott Manley

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] Global *.net XSS, thank you Verisign(TM)
  - From: Richard M. Smith

Prev by Date: [Full-Disclosure] [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability
Next by Date: [Full-Disclosure] [SECURITY] [DSA-382-1] OpenSSH buffer management fix
Previous by thread: RE: [Full-Disclosure] Global *.net XSS, thank you Verisign(TM)
Next by thread: RE: [Full-Disclosure] Global *.net XSS, thank you Verisign(TM)
Index(es):
- Date
- Thread