[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Facebook script injection vulnerabilities
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Facebook script injection vulnerabilities
- From: "Jouko Pynnonen" <jouko@xxxxxx>
- Date: Fri, 4 Jul 2008 12:46:05 +0300
The two remaining vulnerabilities seem to have been fixed today.
Updated information:
7) Escaping JS sandbox with literal String reference
Impact: execution of unrestricted JS on canvas pages or profiles
(mouseclick required on profile pages)
Browsers: FF
Description: __parent__ property of a String object can be referenced
using a literal expression and the "bracket syntax" to get a Window
reference.
Reported: June 21, 2008
Fixed: yes
Example:
"a"["__parent__"].eval("alert('any javascript here');");
8) Escaping JS sandbox with literal RegExp reference
Impact: execution of unrestricted JS on canvas pages or profiles
(mouseclick required on profile pages)
Browsers: FF
Description: __parent__ property of a RegExp object can be referenced
using a literal expression and the "bracket syntax" to get a Window
reference.
Reported: June 21, 2008
Fixed: yes
Example:
/a/["__parent__"].eval("alert('any javascript here');");
On Thu, Jul 3, 2008 at 2:01 AM, Jouko Pynnonen <jouko@xxxxxx> wrote:
> Hello,
>
> This is a summary of various Facebook security issues found and
> reported since June 13, 2008. Two of the vulnerabilities still remain
> on the site, so no details of them are disclosed here. The rest have
> been fixed.
>
> Any of these could be exploited to take over the victim's web browser
> temporarily to e.g. read inbox messages, forcibly install FB
> applications, manipulate friend lists, post messages as the victim
> user, etc. Any of these would also allow creation of a
> self-propagating JavaScript virus/worm.
>
> Most of the issues require the victim user to click on a profile box
> or visit a canvas page of an application in order to trigger the
> injected JavaScript. Issues 2) and 3) don't require mouse clicks.
>
> The vulnerabilities were tested with two browsers: Firefox 3 (Linux +
> Windows) and Internet Explorer 7.
>
>
>
> 1) Escaping JS sandbox with literal Function constructor reference
> Impact: execution of unrestricted JS on canvas pages or profiles
> (mouseclick required on profile pages)
> Description: The JS sandbox denies references to Function.constructor
> but using a literal such as "function f() { }" in the code and
> refering to its constructor with the "bracket syntax" was possible.
> The example below uses this method and calls the constructor with a
> string argument, then calls the resulting Function object.
> Browsers: FF, IE
> Reported: June 13, 2008
> Fixed: yes
> Example:
>
> (function f(){}["constructor"]("alert('any javascript here');"))();
>
>
>
> 2) Fb:silverlight JS injection
> Impact: execution of unrestricted JS on canvas pages, profiles
> Description: Simple XSS, described in the previous message to full-disclosure.
> Browsers: FF, IE
> Reported: June 16, 2008
> Fixed: yes
> Example:
>
> <fb:silverlight silverlightsrc="a"
> width="\" height=",any_javascript_code_here);//" />
>
>
>
> 3) Injecting JS in Feeds
> Impact: execution of unrestricted JS when viewing Feeds on profile
> page or the "home" page
> Description: Insufficient input validation in the
> publishTemplatizedAction API method.
> Browsers: FF, IE
> Reported: June 16, 2008
> Fixed: yes
> Example:
>
> # using the perl API
>
> $facebook->feed->publish_templatized_action( title => "My Title",
> title_template => "{actor} is testing feed stories",
> body_template => "hello",
> image_1 => "http://www.mysite.com/image.gif'\"
> onload=(function	f(){}['constructor']('alert(1)'))();",
> image_1_link => "http://www.mysite.com" );
>
>
>
> 4) Escaping JS sandbox with literal Number reference
> Impact: execution of unrestricted JS on canvas pages or profiles
> (mouseclick required on profile pages)
> Description: Using the "bracket syntax" to reference the __parent__
> property of a floating point number to get a Window object reference,
> then calling its eval() to run arbitrary code. IE doesn't support the
> property.
> Browsers: FF
> Reported: June 18, 2008
> Fixed: yes
> Example:
>
> <script>
> 1.["__parent__"].eval("alert('any javascript here');");
> </script>
>
>
>
> 5) Injecting JS in video attachments
> Impact: execution of unrestricted JS when a inbox, wall or forum
> message is viewed (mouseclick required)
> Description: When sharing video content with the
> http://www.facebook.com/sharer.php form, some input fields can be
> modified e.g. with JavaScript. The example below can be typed in the
> address bar to inject JS in a message.
> Browsers: FF, IE
> Reported: June 20, 2008
> Fixed: yes
> Example:
>
> javascript:f=document.forms[0];f['attachment[params][video][src]'].value='#"
> a=b><img src="#" onerror=alert("hello")>
>
>
>
> 6) Escaping JS sandbox with E4X
> Impact: execution of unrestricted JS on canvas pages or profiles
> (mouseclick required on profile pages). Works in browsers supporting
> E4X (Firefox)
> Description: JS parser in browsers supporting E4X understand XML,
> which can contain multi-line strings. Facebook's JS sandbox technology
> didn't expect XML and multi-line strings. The example below
> demonstrates how this could be used to fool the sandbox logic.
> Browsers: FF
> Reported: June 26, 2008
> Fixed: yes
> Example:
>
> <script>
> <x x="
> x" {alert('any javascript')}="x"
> />
> </script>
>
>
>
> 7) Escaping JS sandbox
> Impact: execution of unrestricted JS on canvas pages or profiles
> (mouseclick required on profile pages)
> Browsers: FF
> Reported: June 21, 2008
> Fixed: no
>
>
>
> 8) Escaping JS sandbox
> Impact: execution of unrestricted JS on canvas pages or profiles
> (mouseclick required on profile pages)
> Browsers: FF
> Reported: June 21, 2008
> Fixed: no
>
>
>
>
> --
> Jouko Pynnönen <jouko@xxxxxx>
> http://iki.fi/jouko
> Finland
>
--
Jouko Pynnönen <jouko@xxxxxx>
http://iki.fi/jouko
Finland
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/