Mozilla Event Handler Document Transition Flaw Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1009209
|
|
CVE Reference: CAN-2004-0191
(Links to External Site)
|
Updated: Mar 4 2004
|
Original Entry Date: Feb 25 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): Affects versions prior to 1.6
|
Description: A vulnerability was reported in the Mozilla browser in the processing of event handlers during the transition of documents. A remote user can conduct cross-site scripting attacks.
Andreas Sandblad reported that a remote user can create HTML containing a specially crafted link that, when loaded on the target
user's browser, may execute arbitrary javascript events in the security context of the new page.
The flaw reportedly resides
in 'nsDOMClassInfo.cpp' and occurs when a large number of event handlers are used within HTML tags.
A remote user can create
specially crafted HTML that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's
browser in the context of an arbitrary site in that site's security domain. The code will be able to access the target user's
cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user
via web form to the site, or take actions on the site acting as the target user.
A limited amount of user interaction may be
required.
The vendor was reportedly notified on December 2, 2003.
The original bug report (containing some demonstration exploit
HTML) is available at:
http://bugzilla.mozilla.org/show_bug.cgi?id=227417
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site,
access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution: The vendor has issued a fix (on December 3, 2003), available via CVS. A fix is also included in version 1.6b, available at:
http://www.mozilla.org/releases/
|
Vendor URL: bugzilla.mozilla.org/show_bug.cgi?id=227417 (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Andreas Sandblad <sandblad@acc.umu.se>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 25 Feb 2004 22:51:31 +0100 (CET)
From: Andreas Sandblad <sandblad@acc.umu.se>
Subject: Sandblad #13: Cross-domain exploit on zombie document with event
|
PUBLIC SECURITY ADVISORY: Sandblad #13
--------------------------------------------------------------
Title: Cross-domain exploit on zombie document with
event handlers
Date: 2004-02-25
Software: Mozilla web browser
Vendor: http://www.mozilla.org/
Status: Patched
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=227417
Type: Cross site scripting
Impact: Site spoofing, cookie/password theft
Author: Andreas Sandblad, sandblad@acc.umu.se
--------------------------------------------------------------
SUMMARY:
========
When linking to a new page it is still possible to interact with the old
page before the new page has been successfully loaded (zombie document).
Any javascript events fired will be invoked in the context of the new
page, making cross site scripting possible if the pages belong to
different domains.
HISTORY:
========
2003-12-02:
Mozilla Security Team contacted. Assigned Bugzilla bug #227417:
http://bugzilla.mozilla.org/show_bug.cgi?id=227417
2003-12-03:
Fix added.
DETAILS:
========
Mozilla has several security layers to prevent exploitation of zombie
documents. Most important the origin of all javascript code is checked
before execution. The problem occurs with event handlers used in tags.
Some attempts are made to disable them, but can easily be bypassed.
The trick is to fill the current document with as many event handlers as
possible and then redirect to a new page. If the event handler is invoked
at the right time it will be executed in the context of the new page, thus
making cross site scripting possible.
DISCLAIMER:
===========
Andreas Sandblad is not responsible for the misuse of the information
provided in this advisory. The opinions expressed are my own and not of
any company. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
advisory. Any use of the information is at the user's own risk.
FEEDBACK:
=========
Please send thoughts and comments to: _ _
sandblad@acc.umu.se o' \,=./ `o
(o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
Andreas Sandblad, Umeå Sweden.
---=--=---=--=--=---=--=--=--=--=---=--=--=--=--=--=--=--=---=--
|
|
