logo Home

Untitled Document

Home > Archives Advisories > Articles


Untitled Document

Untitled Document

Mozilla race condition crossite scripting
Date: 2003-04-16

Author : Liu Die Yu <liudieyuinchina@yahoo.com.cn>

i cracked restriction of 'zone' in mozilla.
("that's all" is the end of file if you are in a hurry)

[tested]
OS:"Windows Server 2003"

NETSCAPE Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN;
rv:1.0.1) Gecko/20020823 Netscape/7.0 "
(downloaded on "2003/3/31 UTC+800")
MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US;
rv:1.3) Gecko/20030312"
(downloaded on "2003/4/1 UTC+800")
MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.4a) Gecko/20030401"
(downloaded on "2003/4/15 UTC+800")

[demo]
http://liudieyuinchina.vip.sina.com/EdgeLink/EdgeLink-MyPage.htm
or
UMBRELLA.MX.TC ===> EdgeLink-MyPage section.
(disable Popup killer.)

[exp]
Mozilla does not wash links on the edge of transforming from one document
to another.

{0}before content of the next document is loaded & after the security ID
of current document is changed to the security ID of the next one(such
period exists.):

{1}links including their "onclick" property in current document remain
alive(=clickable).
{1.1}i can access my link if i have its reference.
now,i call its "onclick" via the reference of link:
{1.2}"onclick" is executed with security ID of the next page which is
going to be loaded.
(boring? "[demo-exp]" is easier.)

[demo-exp]
okay, this is easier. listen up:

task:
show "document.cookie" at "www.securityfocus.com", via "window.alert".

[*]our "LINK" page: it's in our 'zone' and contains a link with
onclick="alert(document.cookie)"

[*]"main" script lives in another page;
now, "main" script plays the trick:
open "LINK" page in another window - "mywin".
save the reference of the link in "LINK" page to "MyLink" variable.
tell "mywin" to go to "http://www.securityfocus.com/".
wait until the security ID changes
("security ID changes"<==>"main script is unable to get protected info"--
>"try{[Get protected info in mywin]}catch{[now, security ID is
changed.]}" )

call "MyLink.onclick()" *immediately*.
/*
we call that immediately, so the time is {0}(refer to "{0}" in "[exp]");
even though the security ID is changed to that
of "http://www.securityfocus.com", our link remains alive.{1}
even though the security ID is victim's id, main script still can
call "MyLink.onclick()".{1.1}
at last, {1.2}
*/

that's all.

[how]
from small beginnings come great things!
read:

http://liudieyuinchina.vip.sina.com/EdgeLink/EdgeLink-How.htm
or
UMBRELLA.MX.TC ===> EdgeLink-How section.

if you are interested in how i got this in 5 hours after i downloaded
mozilla.

[people]
greetings to you all!
and thanx to
"the Pull", dror, bin, gean, dross, iainm, and always: mom and dad - for
their help.

[extra offer]
if you are browsing through web daily with MSIE, try:

http://liudieyuinchina.vip.sina.com/domex/aPoP
or
DOMEX.INT.TC ===> aPoP section.

(it's coded by me; i hope you like it :-) )
BTW,i'm very proud of my "PuriWeb" function in it.


-----
all mentioned resources can always be found at UMBRELLA.MX.TC

[contact]
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"



 

arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy