Spoofing holes in web browsers
Security expert Michal Zalewski has published details of new vulnerabilities found in Internet Explorer and Firefox. Attackers can exploit these holes for URL spoofing. Opera and Konqueror also contain such security flaws.
Under Firefox, web pages may access content in the browser cache via wyciwyg:// URIs. Although these URIs are meant to be inaccessible to users, Zalewski has found ways to bypass this restriction, for instance, using error pages announcing that the page will be redirected (HTTP 302 redirect). Also the "same domain" policy checks can be bypassed by such redirects to execute cross-site scripting attacks, allowing attackers to access information from the cache and to add own content into cached pages. Zalewski has provided a demo page which, however, did not work when heise Security conducted tests under Windows XP with Firefox 220.127.116.11, but displayed injected content under Mac OS X and Firefox 18.104.22.168.
Under Internet Explorer, manipulated web pages can prevent users from leaving the page whilst displaying content specified by the attacker, although the address bar still displays the URL specified by the user. According to Zalewski, repeatedly calling the document.open() function after the user has entered the new address prevents page transition. The function is executed before onBeforeUnload() is invoked and before the entered address is resolved via DNS.
Opera and Konqueror, too, exhibit vulnerabilities which can be exploited to display arbitrary content via specially crafted URLs. Robert Swiecki has found a flaw in these browsers that takes effect while rendering data: URIs. data: URIs allow web pages to directly insert content such as images into the HTML code. Bugs triggered when the address line is displayed while such web pages are processed might cause the affected browsers to only display the last characters of the address. The URL is padded with whitespaces to make it look legitimate. Swiecki, too, provides a demo page to illustrate the bug.
So far, no updates have been made available. Users are advised to be very careful when surfing the Internet and should avoid visiting unknown and untrusted sites.
- Firefox wyciwyg:// cache zone bypass, security advisory by Michal Zalewski
- MSIE7 entrapment again, security advisory by Michal Zalewski
- Opera/Konqueror: data: URL scheme address bar spoofing, security advisory by Robert Swiecki
- Demonstration of the Firefox vulnerability by Zalewski
- Demonstration of the Internet Explorer vulnerability by Zalewski
- Demonstration of the vulnerability in Opera/Konqueror by Swiecki