[Full-disclosure] Cross-Site Scripting attacks via redirectors in different browsers



Hello Full-Disclosure!

I already sent this letter to Bugtraq at 6th of September, but they declined
to post it without any explanation - maybe it was due to some politic
reasons :-). Will see how it'll be with your list.

At the end of July I published my article Cross-Site Scripting attacks via
redirectors (http://websecurity.com.ua/3376/). And at 4th of August I
published English version of my article (http://websecurity.com.ua/3386/).
In this article I wrote about using of redirectors in different browsers for
conducting of Cross-Site Scripting attacks.

In the article I wrote about XSS attacks in location-header and
refresh-header redirectors in different browsers: Mozilla 1.7.x, Mozilla
Firefox 3.x, Internet Explorer (IE6), Opera 9.x and Google Chrome 1.x. And
after additional research in August I found that next browsers are also
vulnerable: Google Chrome 2.x and 3.x, QtWeb, Safari, Opera 10.00 Beta 3,
SeaMonkey, Firefox 3.6 a1 pre, Firefox 3.7 a1 pre, Orca Browser and Maxthon
3 Alpha.

I wrote about five method of attacks in the article (via location-header and
refresh-header redirectors) - about four of them I already posted in
Bugtraq. In this letter I'll inform you about new vulnerable browsers to
those vulnerabilities which I wrote to Bugtraq before.

So in my article Cross-Site Scripting attacks via redirectors
(http://websecurity.com.ua/3386/) I wrote about five attack vectors:

Attack #1 - via refresh-header redirector to javascript: URI
(http://www.securityfocus.com/archive/1/504718).

Attack #2 - via refresh-header redirector to data: URI
(http://www.securityfocus.com/archive/1/504972/30/300/threaded).

Attack #3 - via location-header redirector to data: URI
(http://www.securityfocus.com/archive/1/505479/30/270/threaded).

Attack #4 - via location-header redirector (which use answer "302 Object
moved") to javascript: URI (http://www.securityfocus.com/archive/1/506163)

Attack #5 - via location-header redirector (which uses any 301 and 302
answers) to javascript: URI.

After first release of the article, I found new vulnerable browsers with
help of Aung Khant from YEHG Team.

The next browsers are also vulnerable:

Mozilla Firefox 3.0.13 - vulnerable to attacks #2,3,4.

Google Chrome 2.0.172.28, 2.0.172.37 and 3.0.193.2 Beta - vulnerable to
attacks #1,2.

QtWeb 3.0 Build 001 and 3.0 Build 003 - vulnerable to attacks #1,2,3.

Safari 4.0.3 - vulnerable to attacks #1,2.

Opera 10.00 Beta 3 Build 1699 - vulnerable to attacks #1,3.

SeaMonkey 1.1.17 - vulnerable to attacks #1,2,4.

Firefox 3.6 a1 pre - vulnerable to attacks #1,2,3,4.

Firefox 3.7 a1 pre - vulnerable to attacks #2,3,4.

Orca Browser 1.2 build 5 - vulnerable to attacks #2,3,4.

Maxthon 3 Alpha (3.0.0.145) with Ultramode (Apple’s WebKit emulation) -
vulnerable to attacks #1,2. And also vulnerable to attacks #3,4,5 as
Strictly social XSS.

Maxthon 3 Alpha is only browser vulnerable to attack #5 (for now). Attack #5
is similar to attack #4, just works in all location-header redirectors.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/