OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Eiji James Yoshida (ptrs-ejy_at_bp.iij4u.or.jp)
Date: Tue Aug 06 2002 - 02:15:52 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    + Title:
    ~~~~~~~~~~~~~~~~~
    Mozilla FTP View Cross-Site Scripting Vulnerability

     
    + Date:
    ~~~~~~~~~~~~~~~~~
    4 August 2002

     
    + Author:
    ~~~~~~~~~~~~~~~~~
    Eiji James Yoshida [ptrs-ejybp.iij4u.or.jp]

     
    + Risk:
    ~~~~~~~~~~~~~~~~~
    Medium

     
    + Vulnerable:
    ~~~~~~~~~~~~~~~~~
    Windows2000 SP2 Mozilla 1.0

     
    + Not vulnerable:
    ~~~~~~~~~~~~~~~~~
    Windows2000 SP2 Mozilla 1.1 Beta

     
    + Overview:
    ~~~~~~~~~~~~~~~~~
    Mozilla allows running Malicious Scripts due to a bug in 'FTP view' feature.
    If you click on a malicious link, the script embedded in URL will run.

    * If the ftp server and the http server are the same address, it is dangerous.
      Because the cookie may be modified by the attacker.

     
    + Detailes:
    ~~~~~~~~~~~~~~~~~
    This problem is in 'FTP view' feature.
    The '<title>URL</title>' is not escaped.

     
    + Exploit code:
    ~~~~~~~~~~~~~~~~~
    <a href="ftp://[FTPserver]/#%3C%2ftitle%3E%3Cscript%3Ealert(%22exploit%22);%3C%2fscript%3E">Exploit</a>

    Example:
    <a href="ftp://ftp.mozilla.org/#%3C%2ftitle%3E%3Cscript%3Ealert(%22exploit%22);%3C%2fscript%3E">Exploit</a>

     
    + Demonstration:
    ~~~~~~~~~~~~~~~~~
    http://www.geocities.co.jp/SiliconValley/1667/advisory03e.html

     
    + Workaround:
    ~~~~~~~~~~~~~~~~~
    Use the latest version of Mozilla 1.1 Beta or disable JavaScript.

     
    + Vendor status:
    ~~~~~~~~~~~~~~~~~
    The Mozilla security bug group was notified on 22 June 2002.
    They have fixed the problem, and the fix will be included in Mozilla 1.0.1.
    (The fix has already been included in the latest version of Mozilla 1.1 Beta.)
     

    - -------------------------------------------------------------
    Eiji "James" Yoshida
    penetration technique research site
    E-mail: zaddikgeocities.co.jp
    URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
    - -------------------------------------------------------------

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8ckt
    Comment: Eiji James Yoshida

    iQA/AwUBPU92XTnqpMRtMot1EQLOuQCeO8vvL8ML6Krm0DFmwAauDWy3BhIAoL5q
    ijvFoTEv7XV5IBaAyuFEecmH
    =9sum
    -----END PGP SIGNATURE-----