Firefox cross-domain text theft (CESA-2008-011)
- To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Firefox cross-domain text theft (CESA-2008-011)
- From: "Chris Evans" <scarybeasts@xxxxxxxxx>
- Date: Thu, 18 Dec 2008 01:00:22 -0800
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=rx1TEkaqRZrf4jDTU3ESp3sk8csVIt40gPhUAal5Cko=; b=CTHTEQTEoh0MvSRjyY024IC4R5aez1M0rl29Q28izgPcihDv0xVW8/sn7QnqUIweyx rbNd+GQd9IxEJVjFV56/QLgTagSimR/iogO15qLToiT6rUasEax725ZwDl/mosm2bHEs j3NiPSH5comuHypnbFdodxJ+ZF/RdT2C+okg8=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=ZbtyKBD6K+NQC0KuYYBht8VbYgD0Sp3dEl+3o81hD5mJJEKMBfzWt+iV7tNaU19/vu IHmw8i7ru3bJTASJiosJeKopO41XAFG2hQZPjUn84ReY7MnC2n4wZVmf41be9cSZkVz5 SsI0nhS0E3WM0xKfSU0A0Mvp4bQYa6dzbKdQU=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Hi,
Firefoxes 2.0.0.19 and 3.0.5 fix a cross-domain theft of textual data.
The theft is via cross-domain information leaks in JavaScript error
messages for scripts executed via <script src="remote_domain.org">.
The JavaScript error messages are made available to the window.onerror
handler. In some cases, JavaScript error messages can contain pieces
of text from the remote domain as part of the error message, e.g.
"blah is not defined". This permits certain textual constructs to be
stolen cross-domain.
The broader issue was fixed in Firefox 3.0. However this fix was not
complete. The fix could be dodged by using another instance of the
"302 redirect trick". It was possible to cause the browser to believe
a remote script was in fact local, and therefore continue to reveal
JavaScript error messages.
Advisory: http://scary.beasts.org/security/CESA-2008-011.html
Blog post:
http://scarybeastsecurity.blogspot.com/2008/12/firefox-cross-domain-text-theft.html
Cheers
Chris