[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Cross-Site Scripting attacks via redirectors in different browsers
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Cross-Site Scripting attacks via redirectors in different browsers
- From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxxx>
- Date: Thu, 17 Sep 2009 21:34:03 +0300
Hello Full-Disclosure!
I already sent this letter to Bugtraq at 6th of September, but they declined
to post it without any explanation - maybe it was due to some politic
reasons :-). Will see how it'll be with your list.
At the end of July I published my article Cross-Site Scripting attacks via
redirectors (http://websecurity.com.ua/3376/). And at 4th of August I
published English version of my article (http://websecurity.com.ua/3386/).
In this article I wrote about using of redirectors in different browsers for
conducting of Cross-Site Scripting attacks.
In the article I wrote about XSS attacks in location-header and
refresh-header redirectors in different browsers: Mozilla 1.7.x, Mozilla
Firefox 3.x, Internet Explorer (IE6), Opera 9.x and Google Chrome 1.x. And
after additional research in August I found that next browsers are also
vulnerable: Google Chrome 2.x and 3.x, QtWeb, Safari, Opera 10.00 Beta 3,
SeaMonkey, Firefox 3.6 a1 pre, Firefox 3.7 a1 pre, Orca Browser and Maxthon
3 Alpha.
I wrote about five method of attacks in the article (via location-header and
refresh-header redirectors) - about four of them I already posted in
Bugtraq. In this letter I'll inform you about new vulnerable browsers to
those vulnerabilities which I wrote to Bugtraq before.
So in my article Cross-Site Scripting attacks via redirectors
(http://websecurity.com.ua/3386/) I wrote about five attack vectors:
Attack #1 - via refresh-header redirector to javascript: URI
(http://www.securityfocus.com/archive/1/504718).
Attack #2 - via refresh-header redirector to data: URI
(http://www.securityfocus.com/archive/1/504972/30/300/threaded).
Attack #3 - via location-header redirector to data: URI
(http://www.securityfocus.com/archive/1/505479/30/270/threaded).
Attack #4 - via location-header redirector (which use answer "302 Object
moved") to javascript: URI (http://www.securityfocus.com/archive/1/506163)
Attack #5 - via location-header redirector (which uses any 301 and 302
answers) to javascript: URI.
After first release of the article, I found new vulnerable browsers with
help of Aung Khant from YEHG Team.
The next browsers are also vulnerable:
Mozilla Firefox 3.0.13 - vulnerable to attacks #2,3,4.
Google Chrome 2.0.172.28, 2.0.172.37 and 3.0.193.2 Beta - vulnerable to
attacks #1,2.
QtWeb 3.0 Build 001 and 3.0 Build 003 - vulnerable to attacks #1,2,3.
Safari 4.0.3 - vulnerable to attacks #1,2.
Opera 10.00 Beta 3 Build 1699 - vulnerable to attacks #1,3.
SeaMonkey 1.1.17 - vulnerable to attacks #1,2,4.
Firefox 3.6 a1 pre - vulnerable to attacks #1,2,3,4.
Firefox 3.7 a1 pre - vulnerable to attacks #2,3,4.
Orca Browser 1.2 build 5 - vulnerable to attacks #2,3,4.
Maxthon 3 Alpha (3.0.0.145) with Ultramode (Apple’s WebKit emulation) -
vulnerable to attacks #1,2. And also vulnerable to attacks #3,4,5 as
Strictly social XSS.
Maxthon 3 Alpha is only browser vulnerable to attack #5 (for now). Attack #5
is similar to attack #4, just works in all location-header redirectors.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/