Sandblad #13: Cross-domain exploit on zombie document with event handlers

From: Andreas Sandblad (sandblad_at_acc.umu.se)
Date: 02/25/04

  • Next message: Mandrake Linux Security Team: "MDKSA-2004:015-1 - Updated x86_64 kernel packages fix multiple vulnerabilities" 
    Date: Wed, 25 Feb 2004 22:51:31 +0100 (CET)
To: bugtraq <bugtraq@securityfocus.com>

    PUBLIC SECURITY ADVISORY: Sandblad #13
    --------------------------------------------------------------
    Title: Cross-domain exploit on zombie document with
                event handlers
    Date: 2004-02-25
    Software: Mozilla web browser
    Vendor: http://www.mozilla.org/
    Status: Patched
    Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=227417
    Type: Cross site scripting
    Impact: Site spoofing, cookie/password theft
    Author: Andreas Sandblad, sandblad@acc.umu.se
    --------------------------------------------------------------

    SUMMARY:
    ========
    When linking to a new page it is still possible to interact with the old
    page before the new page has been successfully loaded (zombie document).
    Any javascript events fired will be invoked in the context of the new
    page, making cross site scripting possible if the pages belong to
    different domains.

    HISTORY:
    ========
    2003-12-02:
    Mozilla Security Team contacted. Assigned Bugzilla bug #227417:
    http://bugzilla.mozilla.org/show_bug.cgi?id=227417

    2003-12-03:
    Fix added.

    DETAILS:
    ========
    Mozilla has several security layers to prevent exploitation of zombie
    documents. Most important the origin of all javascript code is checked
    before execution. The problem occurs with event handlers used in tags.
    Some attempts are made to disable them, but can easily be bypassed.

    The trick is to fill the current document with as many event handlers as
    possible and then redirect to a new page. If the event handler is invoked
    at the right time it will be executed in the context of the new page, thus
    making cross site scripting possible.

    DISCLAIMER:
    ===========
    Andreas Sandblad is not responsible for the misuse of the information
    provided in this advisory. The opinions expressed are my own and not of
    any company. In no event shall the author be liable for any damages
    whatsoever arising out of or in connection with the use or spread of this
    advisory. Any use of the information is at the user's own risk.

    FEEDBACK:
    =========
    Please send thoughts and comments to: _ _
    sandblad@acc.umu.se o' \,=./ `o
                                                        (o o)
    ---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
    Andreas Sandblad, Umeå Sweden.
    ---=--=---=--=--=---=--=--=--=--=---=--=--=--=--=--=--=--=---=--

  • Next message: Mandrake Linux Security Team: "MDKSA-2004:015-1 - Updated x86_64 kernel packages fix multiple vulnerabilities"