Issue: Multiple web space providers are susceptible to script-based origin validation attacks. Impact: Cookie theft, page manipulation, ... Additional Information: http://www.murphy.101main.net/vulns/2002-24.txt Many web space providers offer their users web space by way of a folder-based URL, something like this: http://www.domain.com/community/uid An interesting scenario occurs when pages are visited on (commonplace) JavaScript-enabled browsers. The same-origin policy that is used to avoid cross-frame security violations is completely compromised, as the only difference in these URLs to the browser is folder/virtual paths, not sufficient for a same-origin violation. This vulnerability allows anyone who can create a webspace account on the host to manipulate the appearance of other hosted sites provided the victim can be coaxed to a page under their control. This allows for typical cross-domain scripting attacks (stealing cookies, reading form data, ...), which could be pretty devastating, as one site instantly has access to the guts of a few thousand (million?) others. I have confirmed that Terra Lycos' AngelFire service is vulnerable, and also Yahoo! Geocities is believed susceptible. It is very likely that others are vulnerable. "The reason the mainstream is thought of as a stream is because it is so shallow." - Author Unknown
This archive was generated by hypermail 2b30 : Mon Aug 05 2002 - 21:26:30 PDT