Mozilla Event Handler Document Transition Flaw Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1009209|
SecurityTracker URL: http://securitytracker.com/id/1009209
(Links to External Site)
Updated: Mar 4 2004|
Original Entry Date: Feb 25 2004
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): Affects versions prior to 1.6|
A vulnerability was reported in the Mozilla browser in the processing of event handlers during the transition of documents. A remote user can conduct cross-site scripting attacks.|
The flaw reportedly resides in 'nsDOMClassInfo.cpp' and occurs when a large number of event handlers are used within HTML tags.
A remote user can create specially crafted HTML that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser in the context of an arbitrary site in that site's security domain. The code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A limited amount of user interaction may be required.
The vendor was reportedly notified on December 2, 2003.
The original bug report (containing some demonstration exploit HTML) is available at:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
The vendor has issued a fix (on December 3, 2003), available via CVS. A fix is also included in version 1.6b, available at:|
Vendor URL: bugzilla.mozilla.org/show_bug.cgi?id=227417 (Links to External Site)
Input validation error, State error|
Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Wed, 25 Feb 2004 22:51:31 +0100 (CET)|
Subject: Sandblad #13: Cross-domain exploit on zombie document with event
PUBLIC SECURITY ADVISORY: Sandblad #13
Title: Cross-domain exploit on zombie document with
Software: Mozilla web browser
Type: Cross site scripting
Impact: Site spoofing, cookie/password theft
Author: Andreas Sandblad, email@example.com
When linking to a new page it is still possible to interact with the old
page before the new page has been successfully loaded (zombie document).
page, making cross site scripting possible if the pages belong to
Mozilla Security Team contacted. Assigned Bugzilla bug #227417:
Mozilla has several security layers to prevent exploitation of zombie
before execution. The problem occurs with event handlers used in tags.
Some attempts are made to disable them, but can easily be bypassed.
The trick is to fill the current document with as many event handlers as
possible and then redirect to a new page. If the event handler is invoked
at the right time it will be executed in the context of the new page, thus
making cross site scripting possible.
Andreas Sandblad is not responsible for the misuse of the information
provided in this advisory. The opinions expressed are my own and not of
any company. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
advisory. Any use of the information is at the user's own risk.
Please send thoughts and comments to: _ _
firstname.lastname@example.org o' \,=./ `o
Andreas Sandblad, Umeň Sweden.