sandblad13.txt

sandblad13.txt: Posted Feb 25, 2004; Authored by Andreas Sandblad; Using the mozilla browser, while linking to a new page it is still possible to interact with the old page before the new page has been successfully loaded. Any javascript events fired will be invoked in the context of the new page, making cross site scripting possible if the pages belong to different domains.; tags | advisory, javascript, xss; SHA-256 | 8a39c48fd07d754c3d4be6f69961bdef39e4b016dba987bf15576e212c7df063; Download | Favorite | View

sandblad13.txt



PUBLIC SECURITY ADVISORY: Sandblad #13
--------------------------------------------------------------
Title:      Cross-domain exploit on zombie document with
            event handlers
Date:       2004-02-25
Software:   Mozilla web browser
Vendor:     http://www.mozilla.org/
Status:     Patched
Reference:  http://bugzilla.mozilla.org/show_bug.cgi?id=227417
Type:       Cross site scripting
Impact:     Site spoofing, cookie/password theft
Author:     Andreas Sandblad, sandblad@acc.umu.se
--------------------------------------------------------------


SUMMARY:
========
When linking to a new page it is still possible to interact with the old
page before the new page has been successfully loaded (zombie document).
Any javascript events fired will be invoked in the context of the new
page, making cross site scripting possible if the pages belong to
different domains.


HISTORY:
========
2003-12-02:
Mozilla Security Team contacted. Assigned Bugzilla bug #227417:
http://bugzilla.mozilla.org/show_bug.cgi?id=227417

2003-12-03:
Fix added.


DETAILS:
========
Mozilla has several security layers to prevent exploitation of zombie
documents. Most important the origin of all javascript code is checked
before execution. The problem occurs with event handlers used in tags.
Some attempts are made to disable them, but can easily be bypassed.

The trick is to fill the current document with as many event handlers as
possible and then redirect to a new page. If the event handler is invoked
at the right time it will be executed in the context of the new page, thus
making cross site scripting possible.


DISCLAIMER:
===========
Andreas Sandblad is not responsible for the misuse of the information
provided in this advisory. The opinions expressed are my own and not of
any company. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
advisory. Any use of the information is at the user's own risk.


FEEDBACK:
=========
Please send thoughts and comments to:              _     _
sandblad@acc.umu.se                              o' \,=./ `o
                                                    (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
Andreas Sandblad, Umeå Sweden.
---=--=---=--=--=---=--=--=--=--=---=--=--=--=--=--=--=--=---=--

Top Authors In Last 30 Days

Red Hat 282 files
Jay Turla 150 files
indoushka 149 files
Ubuntu 69 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
Gentoo 31 files
H D Moore 31 files
Debian 30 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,117)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,059)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,725)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,806)
UNIX (9,449)
UnixWare (187)
Windows (6,762)
Other

sandblad13.txt

sandblad13.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

sandblad13.txt

Share This

sandblad13.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems