Using the mozilla browser, while linking to a new page it is still possible to interact with the old page before the new page has been successfully loaded. Any javascript events fired will be invoked in the context of the new page, making cross site scripting possible if the pages belong to different domains.
8a39c48fd07d754c3d4be6f69961bdef39e4b016dba987bf15576e212c7df063
PUBLIC SECURITY ADVISORY: Sandblad #13
--------------------------------------------------------------
Title: Cross-domain exploit on zombie document with
event handlers
Date: 2004-02-25
Software: Mozilla web browser
Vendor: http://www.mozilla.org/
Status: Patched
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=227417
Type: Cross site scripting
Impact: Site spoofing, cookie/password theft
Author: Andreas Sandblad, sandblad@acc.umu.se
--------------------------------------------------------------
SUMMARY:
========
When linking to a new page it is still possible to interact with the old
page before the new page has been successfully loaded (zombie document).
Any javascript events fired will be invoked in the context of the new
page, making cross site scripting possible if the pages belong to
different domains.
HISTORY:
========
2003-12-02:
Mozilla Security Team contacted. Assigned Bugzilla bug #227417:
http://bugzilla.mozilla.org/show_bug.cgi?id=227417
2003-12-03:
Fix added.
DETAILS:
========
Mozilla has several security layers to prevent exploitation of zombie
documents. Most important the origin of all javascript code is checked
before execution. The problem occurs with event handlers used in tags.
Some attempts are made to disable them, but can easily be bypassed.
The trick is to fill the current document with as many event handlers as
possible and then redirect to a new page. If the event handler is invoked
at the right time it will be executed in the context of the new page, thus
making cross site scripting possible.
DISCLAIMER:
===========
Andreas Sandblad is not responsible for the misuse of the information
provided in this advisory. The opinions expressed are my own and not of
any company. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
advisory. Any use of the information is at the user's own risk.
FEEDBACK:
=========
Please send thoughts and comments to: _ _
sandblad@acc.umu.se o' \,=./ `o
(o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
Andreas Sandblad, UmeƄ Sweden.
---=--=---=--=--=---=--=--=--=--=---=--=--=--=--=--=--=--=---=--
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed