Minify and related plugins DOM-Based XSS Vulnerability

2012-04-09T00:00:00
ID SECURITYVULNS:DOC:27918
Type securityvulns
Reporter Securityvulns
Modified 2012-04-09T00:00:00

Description

+-------------------------------------------------------------------------------------------+

Title : Minify and related plugins DOM-Based XSS Vulnerability

Version : 2.1.3 & 2.1.4-Beta

Credit : Ayoub Aboukir, Independent Security Researcher

Contact : <ay.aboukir at gmail d0t com>

Software Link : http://code.google.com/p/minify/

Release note:

https://groups.google.com/group/minify/browse_thread/thread/48c1d1cf2642f79

Date of found : 03/01/2012

Date of report : 03/03/2012

Developer response: 03/03/2012

Upgrade release : 03/10/2012

Disclosure date : 03/21/2012

+-------------------------------------------------------------------------------------------+

+---+[About the software]+---+

It combines multiple CSS or Javascript files, removes unnecessary whitespace and comments, and serves them with gzip encoding and optimal client-side cache headers. Minify integrated into other Projects/Plugins * WordPress: WP-Minify * WordPress: W3 Total Cache * Zend Framework: View helpers for links/scripts * Symfony: sfMinifyPlugin * Moodle: minify * Yii: minscript Extension


+---+[About the exploit]+---+

DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.


+---+[Proof of Concept: ]+---+

A specially formed URL could cause a user's web browser to run arbitrary Javascript on a domain where the Minify Builder application is accessible. If a host serves the "Minify URI Builder" application at http://example.org/min/builder/, the host is vulnerable

By adding "#g=<script>alert("XSSed ");</script>" after /min/builder/ the attacker can execute an arbitrary code, in this case it's the classical alert box. Example: http://localhost/min/builder/#g= <script>alert(document.cookie)</script> This shows the current sessions cookies which might be sent to third parties' attacker pages.


+---+[ Greetz to ]+---+

Yasser & Yassin Aboukir