[See all my vulnerabilities at
http://scary.beasts.org/security]
[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]
A bit of background here. At least Firefox 2 and Firefox 3 support
E4X, which means than inline
XML is valid JavaScript. e.g. if you have a JavaScript statement that is
simply <element>value</element>
, it parses fine as
JavaScript, even though it does not do much (result is not assigned to any
variable etc).
This is kind of scary because a lot of XML returned by web apps is sensitive -
private RSS inbox feeds, AJAX responses etc. So, evil.org can parse this
sensitive XML in the untrusted domain simply by referring to it via
<script src=blah/>
.
There are various possible attacks to steal this XML cross-domain. I will outline the start of one here. An XML injection bug existed in E4X parsing:
default xml namespace = '\''; <blah/>;The above JavaScript snippet would give an unterminated string literal error message whilst attempting to parse
<parent xmlns='''><blah/></parent>As well as injecting text into E4X parsing in the local domain, the default xml namespace trick applies to remote XML included via
<script src
.
Unfortunately, the best I can do with this is ascertain some very limited information about the structure of the remote XML (when combining this with another pending disclosure). I'm sure some web wizard out there can think of something more useful for this bug. Note that E4X JavaScript expression substitution occurs before the injected XML is parsed, which is a shame.
CESA-2008-010 - rev 1
Chris Evans
scarybeasts@gmail.com