SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Browser Vendors:   Mozilla.org
Mozilla Event Handler Document Transition Flaw Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1009209
SecurityTracker URL:  http://securitytracker.com/id/1009209
CVE Reference:   CVE-2004-0191   (Links to External Site)
Updated:  Mar 4 2004
Original Entry Date:  Feb 25 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Affects versions prior to 1.6
Description:   A vulnerability was reported in the Mozilla browser in the processing of event handlers during the transition of documents. A remote user can conduct cross-site scripting attacks.

Andreas Sandblad reported that a remote user can create HTML containing a specially crafted link that, when loaded on the target user's browser, may execute arbitrary javascript events in the security context of the new page.

The flaw reportedly resides in 'nsDOMClassInfo.cpp' and occurs when a large number of event handlers are used within HTML tags.

A remote user can create specially crafted HTML that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser in the context of an arbitrary site in that site's security domain. The code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A limited amount of user interaction may be required.

The vendor was reportedly notified on December 2, 2003.

The original bug report (containing some demonstration exploit HTML) is available at:

http://bugzilla.mozilla.org/show_bug.cgi?id=227417

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (on December 3, 2003), available via CVS. A fix is also included in version 1.6b, available at:

http://www.mozilla.org/releases/

Vendor URL:  bugzilla.mozilla.org/show_bug.cgi?id=227417 (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 18 2004 (Red Hat Issues Fix for RH Linux) Mozilla Event Handler Document Transition Flaw Permits Cross-Site Scripting Attacks
Red Hat has released a fix for Red Hat Linux 9.
Apr 15 2004 (Red Hat Issues Fix for RH Enterprise Linux) Mozilla Event Handler Document Transition Flaw Permits Cross-Site Scripting Attacks
Red Hat has released a fix for Red Hat Enterprise Linux 2.1 and 3.
Apr 30 2004 (HP Issues Fix for Tru64) Mozilla Event Handler Document Transition Flaw Permits Cross-Site Scripting Attacks
HP issues fix for HP Tru64 UNIX.
May 11 2004 (HP Issues Fix for HP-UX) Mozilla Event Handler Document Transition Flaw Permits Cross-Site Scripting Attacks
HP has issued a fix for HP-UX.



 Source Message Contents

Subject:  Sandblad #13: Cross-domain exploit on zombie document with event




PUBLIC SECURITY ADVISORY: Sandblad #13
--------------------------------------------------------------
Title:      Cross-domain exploit on zombie document with
            event handlers
Date:       2004-02-25
Software:   Mozilla web browser
Vendor:     http://www.mozilla.org/
Status:     Patched
Reference:  http://bugzilla.mozilla.org/show_bug.cgi?id=227417
Type:       Cross site scripting
Impact:     Site spoofing, cookie/password theft
Author:     Andreas Sandblad, sandblad@acc.umu.se
--------------------------------------------------------------


SUMMARY:
========
When linking to a new page it is still possible to interact with the old
page before the new page has been successfully loaded (zombie document).
Any javascript events fired will be invoked in the context of the new
page, making cross site scripting possible if the pages belong to
different domains.


HISTORY:
========
2003-12-02:
Mozilla Security Team contacted. Assigned Bugzilla bug #227417:
http://bugzilla.mozilla.org/show_bug.cgi?id=227417

2003-12-03:
Fix added.


DETAILS:
========
Mozilla has several security layers to prevent exploitation of zombie
documents. Most important the origin of all javascript code is checked
before execution. The problem occurs with event handlers used in tags.
Some attempts are made to disable them, but can easily be bypassed.

The trick is to fill the current document with as many event handlers as
possible and then redirect to a new page. If the event handler is invoked
at the right time it will be executed in the context of the new page, thus
making cross site scripting possible.


DISCLAIMER:
===========
Andreas Sandblad is not responsible for the misuse of the information
provided in this advisory. The opinions expressed are my own and not of
any company. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
advisory. Any use of the information is at the user's own risk.


FEEDBACK:
=========
Please send thoughts and comments to:              _     _
sandblad@acc.umu.se                              o' \,=./ `o
                                                    (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
---=--=---=--=--=---=--=--=--=--=---=--=--=--=--=--=--=--=---=--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC