[Full-disclosure] Cross-Site Scripting attacks via redirectors in different browsers



Hello Full-Disclosure!

I already sent this letter to Bugtraq at 6th of September, but they declined
to post it without any explanation - maybe it was due to some politic
reasons :-). Will see how it'll be with your list.

At the end of July I published my article Cross-Site Scripting attacks via
redirectors (http://websecurity.com.ua/3376/). And at 4th of August I
published English version of my article (http://websecurity.com.ua/3386/).
In this article I wrote about using of redirectors in different browsers for
conducting of Cross-Site Scripting attacks.

In the article I wrote about XSS attacks in location-header and
refresh-header redirectors in different browsers: Mozilla 1.7.x, Mozilla
Firefox 3.x, Internet Explorer (IE6), Opera 9.x and Google Chrome 1.x. And
after additional research in August I found that next browsers are also
vulnerable: Google Chrome 2.x and 3.x, QtWeb, Safari, Opera 10.00 Beta 3,
SeaMonkey, Firefox 3.6 a1 pre, Firefox 3.7 a1 pre, Orca Browser and Maxthon
3 Alpha.

I wrote about five method of attacks in the article (via location-header and
refresh-header redirectors) - about four of them I already posted in
Bugtraq. In this letter I'll inform you about new vulnerable browsers to
those vulnerabilities which I wrote to Bugtraq before.

So in my article Cross-Site Scripting attacks via redirectors
(http://websecurity.com.ua/3386/) I wrote about five attack vectors:

Attack #1 - via refresh-header redirector to javascript: URI
(http://www.securityfocus.com/archive/1/504718).

Attack #2 - via refresh-header redirector to data: URI
(http://www.securityfocus.com/archive/1/504972/30/300/threaded).

Attack #3 - via location-header redirector to data: URI
(http://www.securityfocus.com/archive/1/505479/30/270/threaded).

Attack #4 - via location-header redirector (which use answer "302 Object
moved") to javascript: URI (http://www.securityfocus.com/archive/1/506163)

Attack #5 - via location-header redirector (which uses any 301 and 302
answers) to javascript: URI.

After first release of the article, I found new vulnerable browsers with
help of Aung Khant from YEHG Team.

The next browsers are also vulnerable:

Mozilla Firefox 3.0.13 - vulnerable to attacks #2,3,4.

Google Chrome 2.0.172.28, 2.0.172.37 and 3.0.193.2 Beta - vulnerable to
attacks #1,2.

QtWeb 3.0 Build 001 and 3.0 Build 003 - vulnerable to attacks #1,2,3.

Safari 4.0.3 - vulnerable to attacks #1,2.

Opera 10.00 Beta 3 Build 1699 - vulnerable to attacks #1,3.

SeaMonkey 1.1.17 - vulnerable to attacks #1,2,4.

Firefox 3.6 a1 pre - vulnerable to attacks #1,2,3,4.

Firefox 3.7 a1 pre - vulnerable to attacks #2,3,4.

Orca Browser 1.2 build 5 - vulnerable to attacks #2,3,4.

Maxthon 3 Alpha (3.0.0.145) with Ultramode (Apple’s WebKit emulation) -
vulnerable to attacks #1,2. And also vulnerable to attacks #3,4,5 as
Strictly social XSS.

Maxthon 3 Alpha is only browser vulnerable to attack #5 (for now). Attack #5
is similar to attack #4, just works in all location-header redirectors.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • [Full-disclosure] Cross-Site Scripting via redirectors 301 and 303 in different browsers
    ... redirectors with statuses 301 and 303 in different browsers. ... And that day I've found Cross-Site Scripting vulnerabilities in browsers ... attacks via other 30x statuses don't work. ... This vulnerability in browser can be used for conducting of fishing ...
    (Full-Disclosure)
  • SecurityFocus Microsoft Newsletter #223
    ... is a free service that gives you the ability to track and manage attacks. ... 3Com 3CDaemon Multiple Remote Vulnerabilities ... Windows Update Services ... Relevant URL: http://www.securityfocus.com/bid/12148 ...
    (Focus-Microsoft)
  • RE: Pre-Scanning for Marketing
    ... installer there were some Security issue, ... vulnerabilities are easily and efficiently identified. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ...
    (Pen-Test)
  • RE: Pre-Scanning for Marketing : Analogy Day
    ... of demonstrating vulnerabilities people "need" to know about. ... Hackers are concentrating their efforts on attacking applications on ... Up to 75% of cyber attacks are launched on shopping carts, ... Check your website for ...
    (Pen-Test)
  • Re: Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Bugtraq)