[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Minify and related plugins DOM-Based XSS Vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Minify and related plugins DOM-Based XSS Vulnerability
- From: Ayoub Aboukir <ay.aboukir@xxxxxxxxx>
- Date: Wed, 21 Mar 2012 23:52:08 +0000
+-------------------------------------------------------------------------------------------+
# Title : Minify and related plugins DOM-Based XSS Vulnerability
# Version : 2.1.3 & 2.1.4-Beta
# Credit : Ayoub Aboukir, Independent Security Researcher
# Contact : <ay.aboukir at gmail d0t com>
# Software Link : http://code.google.com/p/minify/
# Release note:
https://groups.google.com/group/minify/browse_thread/thread/48c1d1cf2642f79
# Date of found : 03/01/2012
# Date of report : 03/03/2012
# Developer response: 03/03/2012
# Upgrade release : 03/10/2012
# Disclosure date : 03/21/2012
+-------------------------------------------------------------------------------------------+
-------------------------------
+---+[About the software]+---+
-------------------------------
It combines multiple CSS or Javascript files, removes unnecessary
whitespace and comments,
and serves them with gzip encoding and optimal client-side cache headers.
Minify integrated into other Projects/Plugins
* WordPress: WP-Minify
* WordPress: W3 Total Cache
* Zend Framework: View helpers for links/scripts
* Symfony: sfMinifyPlugin
* Moodle: minify
* Yii: minscript Extension
-----------------------------
+---+[About the exploit]+---+
-----------------------------
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS
attack wherein the attack
payload is executed as a result of modifying the DOM “environment” in the
victim’s browser used
by the original client side script, so that the client side code runs in an
“unexpected” manner.
That is, the page itself (the HTTP response that is) does not change, but
the client side code
contained in the page executes differently due to the malicious
modifications that have occurred
in the DOM environment.
------------------------------
+---+[Proof of Concept: ]+---+
------------------------------
A specially formed URL could cause a user's web browser to run arbitrary
Javascript on a
domain where the Minify Builder application is accessible. If a host serves
the "Minify
URI Builder" application at http://example.org/min/builder/, the host is
vulnerable
By adding "#g=<script>alert("XSSed ");</script>" after /min/builder/ the
attacker can
execute an arbitrary code, in this case it's the classical alert box.
Example: http://localhost/min/builder/#g=
<script>alert(document.cookie)</script>
This shows the current sessions cookies which might be sent to third
parties' attacker pages.
------------------------
+---+[ Greetz to ]+---+
------------------------
Yasser & Yassin Aboukir
+-------------------------------------------------------------------------------------------+
# Title : Minify and related plugins DOM-Based XSS Vulnerability
# Version : 2.1.3 & 2.1.4-Beta
# Credit : Ayoub Aboukir, Independent Security Researcher
# Contact : <ay.aboukir at gmail d0t com>
# Software Link : http://code.google.com/p/minify/
# Release note:
https://groups.google.com/group/minify/browse_thread/thread/48c1d1cf2642f79
# Date of found : 03/01/2012
# Date of report : 03/03/2012
# Developer response: 03/03/2012
# Upgrade release : 03/10/2012
# Disclosure date : 03/21/2012
+-------------------------------------------------------------------------------------------+
-------------------------------
+---+[About the software]+---+
-------------------------------
It combines multiple CSS or Javascript files, removes unnecessary whitespace
and comments,
and serves them with gzip encoding and optimal client-side cache headers.
Minify integrated into other Projects/Plugins
* WordPress: WP-Minify
* WordPress: W3 Total Cache
* Zend Framework: View helpers for links/scripts
* Symfony: sfMinifyPlugin
* Moodle: minify
* Yii: minscript Extension
-----------------------------
+---+[About the exploit]+---+
-----------------------------
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack
wherein the attack
payload is executed as a result of modifying the DOM “environment” in the
victim’s browser used
by the original client side script, so that the client side code runs in an
“unexpected” manner.
That is, the page itself (the HTTP response that is) does not change, but the
client side code
contained in the page executes differently due to the malicious modifications
that have occurred
in the DOM environment.
------------------------------
+---+[Proof of Concept: ]+---+
------------------------------
A specially formed URL could cause a user's web browser to run arbitrary
Javascript on a
domain where the Minify Builder application is accessible. If a host serves the
"Minify
URI Builder" application at http://example.org/min/builder/, the host is
vulnerable
By adding "#g=<script>alert("XSSed ");</script>" after /min/builder/ the
attacker can
execute an arbitrary code, in this case it's the classical alert box.
Example: http://localhost/min/builder/#g=<script>alert(document.cookie)</script>
This shows the current sessions cookies which might be sent to third parties'
attacker pages.
------------------------
+---+[ Greetz to ]+---+
------------------------
Yasser & Yassin Aboukir_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/