[29810] in bugtraq
Re: i cracked restriction of 'zone' in mozilla.
daemon@ATHENA.MIT.EDU (Alla Bezroutchko)
Thu Apr 17 13:59:59 2003
Message-ID: <3E9ED82E.9080001@scanit.be>
Date: Thu, 17 Apr 2003 18:37:02 +0200
From: Alla Bezroutchko <alla@scanit.be>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=KOI8-R; format=flowed
Content-Transfer-Encoding: 7bit
Liu Die Yu wrote:
>
> i cracked restriction of 'zone' in mozilla.
> ("that's all" is the end of file if you are in a hurry)
>
> [tested]
> OS:"Windows Server 2003"
>
> NETSCAPE Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN;
> rv:1.0.1) Gecko/20020823 Netscape/7.0 "
> (downloaded on "2003/3/31 UTC+800")
> MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US;
> rv:1.3) Gecko/20030312"
> (downloaded on "2003/4/1 UTC+800")
> MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
> rv:1.4a) Gecko/20030401"
> (downloaded on "2003/4/15 UTC+800")
Also tested and found vulnerable:
Netscape 6.2.3, Netscape 7.0, Netscape 7.01, Netscape 7.02 on Linux.
Mozilla 1.0.2, 1.1, 1.2.1, 1.3a on Linux and Mozilla 1.0 on Windows.
Beonex 0.8.2-stable and Phoenix 0.5 (Mozilla rv.: 1.3a Gecko
2002107) on Windows.
> [exp]
> Mozilla does not wash links on the edge of transforming from one document
> to another.
>
> {0}before content of the next document is loaded & after the security ID
> of current document is changed to the security ID of the next one(such
> period exists.):
>
> {1}links including their "onclick" property in current document remain
> alive(=clickable).
> {1.1}i can access my link if i have its reference.
> now,i call its "onclick" via the reference of link:
> {1.2}"onclick" is executed with security ID of the next page which is
> going to be loaded.
> (boring? "[demo-exp]" is easier.)
Internet Explorer throws an exception when you try to call the
onclick function by saved reference - perfectly correct
behavior. Opera seems to silently ignore the call. For Opera it
seems to be a common behavior to ignore bad calls without
throwing an exception (another example is calling document.write
by saved reference on a document that changed origin).
Finally, shameless plug. Our Browser Security Test
(http://bcheck.scanit.be/bcheck/) now checks for this vulnerability.
Alla
