<<< Date Index >>>     <<< Thread Index >>>

Advisory 03/2007: Multiple Browsers Cross Domain Charset Inheritance Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: Multiple Browsers Cross Domain Charset Inheritance Vulnerability
 Release Date: 2007/02/23
Last Modified: 2007/02/23
       Author: Stefan Esser [sesser@xxxxxxxxxxxxxxxx]

  Application: Firefox <= 2.0.0.1, Internet Explorer 7, Opera 9
 Not affected: Internet Explorer 6, Opera 8
     Severity: Web-pages without a defined charset will be rendered
               with the charset of the parent page when put into an
               (i)frame. This might allow bypassing XSS filters
               with for example UTF-7 payload
         Risk: Low
Vendor Status: Only Mozilla reacted and released Firefox 2.0.0.2 which fixes 
this issue
   References: http://www.hardened-php.net/advisory_032007.142.html


Overview:

   While testing Firefox it was discovered that pages not specifying
   a charset in a HTTP Content-Type header or from within a HTML META
   tag, inherit the charset of the parent page when they are rendered
   within an (i)frame, even when both pages are on different domains.

   This opens up Firefox to all the UTF-7 XSS vulnerabilities that were
   reported in the past (google.com, mediawiki, ...) and are usually
   attributed to only affect Internet Explorer due to its charset
   autodetection. All an attacker needs to get it working is put the
   XSS attack into an iframe on a site using UTF-7.

   After the initial contact with the Mozilla team Internet Explorer 7
   was released which unlike Internet Explorer is also vulnerable to
   the charset inheritance issue. Hinted by the Mozilla developers it
   was also discovered that Opera 9 unlike Opera 8 also introduced
   this vulnerability.

   Unfortunately neither Microsoft nor Opera were interested in the
   vulnerability. Opera did not react at all on our bug report and
   Microsoft just sent a nonsense mail to us, claiming that we had
   disclosed this already to the public and that they like getting
   advance notice. We never heard back from them after that initial
   email. Not really surprising because it is a similar behaviour we
   previously encountered when dealing with them.


Proof of Concept:

   The Hardened-PHP Project is not going to release a proof of concept
   exploit for this vulnerability.


Disclosure Timeline:

   11. October 2006  - Notified security@xxxxxxxxxxx
   23. February 2007 - Firefox 2.0.0.2 released
   23. February 2007 - Public Disclosure


Recommendation:

   We strongly recommend to upgrade to Firefox 2.0.0.2 which also
   fixes several other security vulnerabilities not reported by us
   and therefore not covered by this advisory.

   http://mozilla.org/


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2007 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFF32E6RDkUzAqGSqERApcNAKCZuga9MqD8YXoVvBWvkPjBaskZwgCfV9wy
ir2XC0ZpOGDkW4f3twiBxsc=
=spEd
-----END PGP SIGNATURE-----