Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Web Application Security
CSS before redirect Sep 08 2003 03:32PM
Stephen de Vries (stephen devries dcode net) (2 replies)
RE: CSS before redirect Sep 09 2003 09:09AM
Thomas Schreiber (ts secure-net de)
There is a security risk, under some circumstances: it exists a second
vulnerability and the client is Mozilla or Firebird (tested with latest
version). IE latest version and Opera do not seem vulnerable, others not
tested.

The additional hole needed often exists if the redirect is not done by the
webserver but by some custom script that does not correctly sanitize input.

Suppose you enter this:
http://somewhere.tld/here?search="></a><script>alert('hello')</script><!
--%0
d%0aLocation:%20foo://bar

If the custom redirector does not properly handle it, it may rewrite the
%0d%0a as it is, i.e. CRLF. Which results in this header:

HTTP/1.1 302 Object Moved
Location:
http://somewhereelse.com/there?search="></a><script>alert('hello')</scri
pt><
!--
Location: foo://bar
Server: Microsoft-IIS/4.0
Content-Type: text/html

The mozilla browsers (perhaps others) overwrite the first 'Location:' by the
second. As this (foo://bar) is not a valid URL it takes the body as last
resort and the XSS-Code becomes evaluated.

Thomas Schreiber - ts (at) secure-net (dot) de [email concealed]
SecureNet GmbH, Munich

> -----Original Message-----
> From: Stephen de Vries [mailto:stephen.devries (at) dcode (dot) net [email concealed]]
> Sent: Monday, September 08, 2003 5:33 PM
> To: webappsec (at) securityfocus (dot) com [email concealed]
> Subject: CSS before redirect
>
>
>
> Hi all,
>
> I'm looking at an application that seems to be vulnerable to CSS attack,
> however, the browser keeps following the redirect before running the
> script. The request:
>
> GET /includes?"></a><script>alert('hello')</script> HTTP/1.1
>
> Results in the following response:
>
> HTTP/1.1 302 Object Moved
> Location: https://somwhereelse.com
> Server: Microsoft-IIS/4.0
> Content-Type: text/html
> Content-Length: 123
>
> <head><title>Document Moved</title></head>
> <body><h1>Object Moved</h1>This document may be found <a
> HREF="https://somewhereelse.com/includes/?"></a><script>alert('h
> ello')</script>">here</a>
>
> The CSS injection looks as though it should work, if the browser just
> displayed that page, but instead it acts on the redirect immediately
> before displaying the page. This happens in both Mozilla 1.4 and IE 6.
> Do you think this represents a security risk ? Do older browsers behave
> in the same way ? Is it possible to turn this behaviour off ? Does
> cologne make the man ?
>
>
> cheers,
>
> Stephen

[ reply ]
Re: CSS before redirect Sep 08 2003 04:20PM
Jeremiah Grossman (jeremiah whitehatsec com) (1 replies)
Re: CSS before redirect Sep 08 2003 09:10PM
Marc Slemko (marcs znep com)







 

Privacy Statement
Copyright 2009, SecurityFocus