Bugtraq mailing list archives
Cross-Site Scripting vulnerabilities in Mozilla, Internet Explorer, Opera and Chrome
From: "MustLive" <mustlive () websecurity com ua>
Date: Fri, 3 Jul 2009 01:21:57 +0300
Hello SecurityFocus! I want to warn you about Cross-Site Scripting vulnerabilities in Mozilla, Internet Explorer, Opera and Chrome. I wrote about it at my site this Monday (29.06.2009) and also informed corresponding browsers developers about this vulnerability. At 21.04.2009 there was fixed vulnerability in Firefox 3.0.9 (http://www.mozilla.org/security/announce/2009/mfsa2009-22.html), which allowed to conduct XSS attacks via Refresh header. And as I checked, this attack is also working in Mozilla, IE6, Opera and Chrome. XSS: With request to script at web site: http://site/script.php?param=javascript:alert(document.cookie) Which returns in answer the refresh header: refresh: 0; URL=javascript:alert(document.cookie) The code will work in context of this site. Vulnerable version is Mozilla 1.7.x and previous versions. Vulnerable version is Mozilla Firefox 3.0.8 and previous versions. Vulnerable version is Internet Explorer 6 (6.0.2900.2180) and previous versions. And potentially next versions (IE7 and IE8). Vulnerable version is Opera 9.52 and previous versions (and potentially next versions too). Vulnerable version is Google Chrome 1.0.154.48 and previous versions (and potentially next versions too).I mentioned about this vulnerability at my site (http://websecurity.com.ua/3275/).
Best wishes & regards, MustLive Administrator of Websecurity web sitehttp://websecurity.com.ua
!DSPAM:4a4d326b156009547910959!
Current thread:
- Cross-Site Scripting vulnerabilities in Mozilla, Internet Explorer, Opera and Chrome MustLive (Jul 03)
- Re: Cross-Site Scripting vulnerabilities in Mozilla, Internet Explorer, Opera and Chrome Michal Zalewski (Jul 03)