W3C CSS :visited Pseudo-Class Information Disclosure Vulnerability

Cascading Style Sheets (CSS) are a series of specifications produced and published by the World Wide Web Consortium (W3C). They are intended to provide a standard for adding literal formatting and layout information to HTML documents. CSS-1 is partially implemented by most browsers, including Netscape and Internet Explorer.

Features defined in the CSS specification include the ':visited' pseudo class, which is used to define styles used on links to previously visited pages and to include external references in style declarations. Used together, these features may lead to an information-disclosure vulnerability.

An attacker must construct a malicious web pageand include a link to a known third-party page. The attacker may then define a ':visited' style for this link and include a reference to an attacker-controlled file within the style declaration. When the malicious page is loaded, the user's browser will access the external reference only if it is required. The attacker may then monitor the access to this file and determine if the user has visited the specified page.

The ':visited' style defintion may also change information that is available through the browser DOM, allowing client-side scripting to detect the state of the link. The script may then take intelligent action, possibly modifying page content or layout.

This is not a normal vulnerability, but rather the consequence of a variety of design decisions, including the usability and efficiency of the browser and the difficult question as to what information is safe to disclose in the DOM.


Privacy Statement
Copyright 2010, SecurityFocus