Hello Bugtraq! I want to warn you about Cross-Site Scripting vulnerability in Mozilla Firefox, Opera and other browsers. It allows to bypass protection from executing of JavaScript code in location-header redirectors (by redirecting to javascript: URI). Recently, 04.08.2010, I wrote about vulnerability in Mozilla and Mozilla Firefox at my site. I made full disclosure because Mozilla completely ignored similar vulnerability, which I informed them in August 2009, like all other vulnerabilities in Firefox which I wrote in 2009 in my article Cross-Site Scripting attacks via redirectors (http://websecurity.com.ua/3386/). After that release I made additional checks of this vulnerability in different browsers and found that Opera 10.53 is vulnerable (to new and old holes), at that version Opera 9.52 was not vulnerable. It looks like Opera ignored my article Cross-Site Scripting attacks via redirectors and those two vulnerabilities (two attack vectors via redirectors), which I told them about in 2009, and added two new attack vectors via redirectors. Earlier I already wrote about Cross-Site Scripting vulnerability in Mozilla, Firefox and other browsers (http://websecurity.com.ua/3373/) (CVE-2009-3014) via redirectors with answer "302 Object moved". As I recently checked, besides earlier mentioned vulnerable browsers also the next browsers are vulnerable: Firefox 3.0.19, Firefox 3.5.11, Firefox 3.6.8, Firefox 4.0b2 and Opera 10.53 (at that version Opera 9.52 isn't vulnerable). Recently I informed Mozilla and Opera about these issues in their browsers. In Firefox at the sites, which use answer "302 Found" in redirectors, at request to location-header redirector with setting of JavaScript code, the browser will show "Found" page, where there is this code in the link “here”. At click on which the code will execute. I.e. it is Strictly social XSS, and also this is one more example of Local XSS (http://websecurity.com.ua/4219/). XSS: With request to script at web site: http://site/script.php?param=javascript:alert(document.cookie) Which returns in answer the Location header: HTTP/1.x 302 Found Location: javascript:alert(document.cookie) The browser will show “Found” page. At click on the link “here” the code will execute in context of this site. Besides javascript URI also it's possible to use data URI for executing of JS-code, if redirector outputs in Location header the chars ";" and "," in plain (not in URL encoding) form. Also in all versions of Mozilla and Mozilla Firefox it's possible to use another variant of Strictly social XSS - with using of -moz-binding (for Firefox < 3.0 or for Firefox => 3.0 with xml-file on the same site) or with using of onMouseOver: http://site/script.php?param=a:%22%20onMouseOver=%22alert(document.cookie) At moving of the cursor on the link “here” the code will execute in context of this site. And if to use my MouseOverJacking technique (http://websecurity.com.ua/3814/), then it's possible to automate this attack in all versions of Mozilla and Mozilla Firefox (especially when using of -moz-binding isn't possible): http://site/script.php?param=a:%22%20style=%22width:100%25;height:100%25;display:block;position:absolute;top:0px;left:0px%22%20onMouseOver=%22alert(document.cookie) This attack is possible only if redirector (with "302 Found" or "302 Object moved" answer) outputs double quote in Location header in plain (not in URL encoding) form. Affected software: Vulnerable are Mozilla 1.7.x and previous versions. Vulnerable are Mozilla Firefox 3.0.19, Firefox 3.5.11, Firefox 3.6.8, Firefox 4.0b2 and previous versions. Vulnerable are Opera 10.53 and potentially all 10.x versions (at that version Opera 9.52 isn't vulnerable). As in case of XSS via redirectors with answer "302 Object moved", to this vulnerability also must be vulnerable the next browsers: SeaMonkey 1.1.17, Firefox 3.7 a1 pre, Orca Browser 1.2 build 5 and Maxthon 3 Alpha (3.0.0.145) with Ultramode. I mentioned about this vulnerability at my site (http://websecurity.com.ua/4432/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
