Advisory 03/2007: Multiple Browsers Cross Domain Charset Inheritance Vulnerability

2007-02-25T00:00:00
ID SECURITYVULNS:DOC:16175
Type securityvulns
Reporter Securityvulns
Modified 2007-02-25T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

                    Hardened-PHP Project
                    www.hardened-php.net

                  -= Security  Advisory =-


 Advisory: Multiple Browsers Cross Domain Charset Inheritance Vulnerability

Release Date: 2007/02/23 Last Modified: 2007/02/23 Author: Stefan Esser [sesser@hardened-php.net]

Application: Firefox <= 2.0.0.1, Internet Explorer 7, Opera 9 Not affected: Internet Explorer 6, Opera 8 Severity: Web-pages without a defined charset will be rendered with the charset of the parent page when put into an (i)frame. This might allow bypassing XSS filters with for example UTF-7 payload Risk: Low Vendor Status: Only Mozilla reacted and released Firefox 2.0.0.2 which fixes this issue References: http://www.hardened-php.net/advisory_032007.142.html

Overview:

While testing Firefox it was discovered that pages not specifying a charset in a HTTP Content-Type header or from within a HTML META tag, inherit the charset of the parent page when they are rendered within an (i)frame, even when both pages are on different domains.

This opens up Firefox to all the UTF-7 XSS vulnerabilities that were reported in the past (google.com, mediawiki, ...) and are usually attributed to only affect Internet Explorer due to its charset autodetection. All an attacker needs to get it working is put the XSS attack into an iframe on a site using UTF-7.

After the initial contact with the Mozilla team Internet Explorer 7 was released which unlike Internet Explorer is also vulnerable to the charset inheritance issue. Hinted by the Mozilla developers it was also discovered that Opera 9 unlike Opera 8 also introduced this vulnerability.

Unfortunately neither Microsoft nor Opera were interested in the vulnerability. Opera did not react at all on our bug report and Microsoft just sent a nonsense mail to us, claiming that we had disclosed this already to the public and that they like getting advance notice. We never heard back from them after that initial email. Not really surprising because it is a similar behaviour we previously encountered when dealing with them.

Proof of Concept:

The Hardened-PHP Project is not going to release a proof of concept exploit for this vulnerability.

Disclosure Timeline:

  1. October 2006 - Notified security@mozilla.org
  2. February 2007 - Firefox 2.0.0.2 released
  3. February 2007 - Public Disclosure

Recommendation:

We strongly recommend to upgrade to Firefox 2.0.0.2 which also fixes several other security vulnerabilities not reported by us and therefore not covered by this advisory.

http://mozilla.org/

GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2007 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFF32E6RDkUzAqGSqERApcNAKCZuga9MqD8YXoVvBWvkPjBaskZwgCfV9wy ir2XC0ZpOGDkW4f3twiBxsc= =spEd -----END PGP SIGNATURE-----