<<< Date Index >>>     <<< Thread Index >>>

Sandblad #13: Cross-domain exploit on zombie document with event handlers




PUBLIC SECURITY ADVISORY: Sandblad #13
--------------------------------------------------------------
Title:      Cross-domain exploit on zombie document with
            event handlers
Date:       2004-02-25
Software:   Mozilla web browser
Vendor:     http://www.mozilla.org/
Status:     Patched
Reference:  http://bugzilla.mozilla.org/show_bug.cgi?id=227417
Type:       Cross site scripting
Impact:     Site spoofing, cookie/password theft
Author:     Andreas Sandblad, sandblad@xxxxxxxxxx
--------------------------------------------------------------


SUMMARY:
========
When linking to a new page it is still possible to interact with the old
page before the new page has been successfully loaded (zombie document).
Any javascript events fired will be invoked in the context of the new
page, making cross site scripting possible if the pages belong to
different domains.


HISTORY:
========
2003-12-02:
Mozilla Security Team contacted. Assigned Bugzilla bug #227417:
http://bugzilla.mozilla.org/show_bug.cgi?id=227417

2003-12-03:
Fix added.


DETAILS:
========
Mozilla has several security layers to prevent exploitation of zombie
documents. Most important the origin of all javascript code is checked
before execution. The problem occurs with event handlers used in tags.
Some attempts are made to disable them, but can easily be bypassed.

The trick is to fill the current document with as many event handlers as
possible and then redirect to a new page. If the event handler is invoked
at the right time it will be executed in the context of the new page, thus
making cross site scripting possible.


DISCLAIMER:
===========
Andreas Sandblad is not responsible for the misuse of the information
provided in this advisory. The opinions expressed are my own and not of
any company. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
advisory. Any use of the information is at the user's own risk.


FEEDBACK:
=========
Please send thoughts and comments to:              _     _
sandblad@xxxxxxxxxx                              o' \,=./ `o
                                                    (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
Andreas Sandblad, Umeå Sweden.
---=--=---=--=--=---=--=--=--=--=---=--=--=--=--=--=--=--=---=--