[Tickets #8715] Re: XSS vulnerability

bugs at horde.org bugs at horde.org
Wed Nov 25 13:53:04 UTC 2009 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/8715
------------------------------------------------------------------------------
  Ticket             | 8715
  Updated By         | acmpires at co.sapo.pt
  Summary            | XSS vulnerability
  Queue              | IMP
  Version            | FRAMEWORK_3
  Type               | Bug
  State              | Feedback
  Priority           | 3. High
  Milestone          | 4.3.6
  Patch              |
  Owners             | Horde Developers
------------------------------------------------------------------------------


david.a.julio at gmail.com (2009-11-25 08:20) wrote:

Don't forget about other content types. For example, if the data is  
the base64 encoding of:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
      PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <title>Test</title>
   </head>
   <body>
     <script type="text/javascript">alert(document.cookie)</script>
   </body>
</html>

Then, the attacker can also use a link with the following URI:

data:application/xhtml+xml;base64,<encoding of above>

And this is not the only one. If the use the content types text/xml or  
application/xml, the page will be parsed as a xml document. In the  
script, document has now type XMLDocument, and doesn't have the  
property cookie. We can still write something like:

<script type="text/javascript">
if (undefined === document.cookie)
   window.location.replace(window.location.href.replace("text/xml",  
"application/xhtml+xml"))
else
   alert(document.cookie)
</script>
The same for application/xml, or more elaborate code to take care of  
various cases.

I just tested this four cases, text/html, text/xml, application/xml,  
application/xhtml+xml and I don't know if there are others.

I don't have a better suggestion for you, so I just leave the comment  
that blacklisting can be dangerous.

Thank you for your time.

> Attachments are not private anyway. :)
>
> Your patch seems to do its job, attached is a test case.
>
> I'm not sure how far Firefox can be tricked to consider a link as a  
> data scheme. I'm thinking of variants of "data:text/html".

More information about the bugs mailing list