[21173] in bugtraq
Re: Anonymized
daemon@ATHENA.MIT.EDU (joshua@safeweb.com)
Sun Jun 24 13:16:45 2001
Date: Sun, 24 Jun 2001 00:04:58 -0400
From: joshua@safeweb.com
To: bugtraq@securityfocus.com
Message-ID: <20010624000458.B3553@safeweb.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <11812090294.20010614210404@leader.ru>; from admin@leader.ru on Thu, Jun 14, 2001 at 09:04:04PM +0400
Thank you for bringing this to our attention. Unfortunately, due to the
complexity that is javascript, it took us a few days to fix our
interpreter and test it enough to satisfy us. A new build of safeweb.com
was put up today that fixes the problem described below. Undoubtably, the
astute readers of bugtraq will be able to come up with other vulnerabilities...
Given enough lead time, we hope to resolve any vulnerabilities that people
present us with.
On Thu, Jun 14, 2001 at 09:04:04PM +0400, Alexander K. Yezhov wrote:
<snip>
> Q: Does SafeWEB.com have the same issues?
>
> A: I had a look at SafeWeb today. Since it uses different approach to
> isolate dangerous JavaScript instructions the demo code won't work.
> SafeWeb doesn't let the script to verify if the URL is chained and
> correctly intercepts any attempts to change document.location or issue
> location.replace function. But the answer is ... "yes". To let the
> demo script verify the original URL we'll have to override
> fugunet_fixloc function. Then, to redirect current frame to unsecure
> location we can use "assign" method.
>
> The current "redirect" demo is available at:
>
> http://tools-on.net/privacy.shtml
>
> (click on the "Go" button below "Holmes/Who" and look at the report)
>
> You can also use direct (temp.) link to the "Who" tool:
>
> http://tools-on.net/privacy.shtml?o=who&t=4557701001675&
<snip>
