Re: Netscape cross domain security hole

From: Henri Torgemane (henri_torgemaneat_private)
Date: Thu Jan 10 2002 - 19:56:25 PST

Next message: Meder Kydyraliev: "Re[2]: OS X Shell Code"

Previous message: diphenat_private: "RPC/TCP Record Marking for IDS Evasion"
In reply to: Avi Mozes: "Netscape cross domain security hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well yes and no.

Netscape does have cross-domain security mechanisms.
so w=open("http://www.far-away.com");alert(w.document.cookie);
will fail because of that mechanism.
Netscape protects parts of the DOM that are likely to contain sensitive
stuff. That includes the location object, any form object, and I think
m ost, if not all, of the document object.

However, it doesn't block access to user-defined members of another
page on another domain.
So theorically, one could imagine a site A with a form, and a
validation script that stores some of the form content in global
variable, and an evil site B that gets open a window to site A and talk
the user into filling the form, then keep polling specific global
variables in hope to steal some data.
Coming up with a practical attack is another matter.

Hope that helps,
Henri

--- Avi Mozes <amozesat_private> wrote:
> 
> 
> I found out that Netscape doesn't have security when 
> it comes to accessing sites from domain to domain.  
> This seems to work in 4.7x -- I have not tried it out yet 
> in Netscape 6.  What this hole allows you to do is run 
> any Javascript (and VBScript) functions on any site 
> as well as change values of global variables.  This 
> allows you to run functions that you shouldn't run or 
> set variables to values that could damage or allow 
> you to access information.  
> 
> The way it's done: have a page open (with a simple 
> window.open command using a window handle) any 
> site.  
> To run a function, run on the parent page:
> winhandle.function(param);
> To change any variable:
> winhandle.var = value;
> 
> One exploit is with cookies where you are able to get 
> and set cookies if the site has cookie functions.  This 
> will make it able for you to set cookies from that 
> domain.  If a site relies on Javascript or cookies for 
> some point of thier security system, this could be 
> even more damaging.  And lastly, it can grab user 
> information if a user uses a page with this exploit and 
> continues to another domain opened by the page.
> 
> Let me know your ideas on this.
> Avi
> amozesat_private

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

Next message: Meder Kydyraliev: "Re[2]: OS X Shell Code"
Previous message: diphenat_private: "RPC/TCP Record Marking for IDS Evasion"
In reply to: Avi Mozes: "Netscape cross domain security hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 20:16:29 PST