Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)

[Richard Moore <rich () westpoint ltd uk>]

Resent as I realised I'm not subscribed here

Michal Zalewski wrote:
> I can't really comment on whether
> this fixes the problem once and for all, because I haven't really examined
> the changes implemented for 364692, but yeah, my example no longer crashes
> the browser for me.

I think there are still underlying problems in the code as the
following illustrates:

1. Put this in a web page, then view it in firefox.

<html>
<body onunload="location = self.location">
<a href="http://slashdot.org/";>http://slashdot.org/</a>
</body>
</html>

2. Click on the link which should take you to slashdot and you'll end
up back where you were (this has been known about for ages).

3. Now do 'View Source' and you get shown the sourcecode to slashdot
rather than the source code for the page you're viewing.

Actual Results:
View source displays the contents of the wrong site

Expected Results:
I'd expect to see the source code for the page I'm viewing.

A web page could trigger the link itself using DOM events (or naviagate
away using javascript form submission) and use this technique to hide
the source code of a malicious page from the user. I did a quick check
that document.cookie wasn't chcking the wrong URL, but I have not
checked extensively which other parts of the browser can be spoofed
in this fashion.

I reported this via bugzilla, but it was closed as a duplicate of bug
253497 which was reported in 2004.

Cheers

Rich.
-- 
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/