CESA-2008-011 - rev 1

[See all my vulnerabilities at http://scary.beasts.org/security]

[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]

Firefox cross-domain information theft (simple text strings, some CSV)

The modern web model permits remote domain <script> inclusion with no restrictions. If the remote data, which does not have to be script, has an effect on the evil domain doing the inclusion, you have a cross-domain data leak.

Firefox supports the property window.onerror which is called on any JavaScript error message. Occasionally, some JavaScript error messages includes text from the content that failed to parse or run. That text, then, is leaked as a cross-domain breach. Firefox 3 is wise to this trick, probably thanks to Filipe Almeida (see credit below). Firefox 3.0.4 would replace the JavaScript error text with a generic message in the event that the error is generated by script on a remote domain. However, the "302 redirect trick" bypasses that protection. Firefox 2.0.0.18 did not need any such tricks to reveal information.

The best error message to target is "blah is not defined", referring to a textual name that is not currently bound to a variable. You can cross-domain steal data that is a single word in this manner. If the cross-domain data is CSV, e.g. "a, b, c", you can steal the text of all three words by iteratively sourcing the script, noting the undefined variable name, defining it and repeating. Other textual error messages may reveal other data for specific textual constructs on the remote domain.

Little demo (hit refresh if nothing happens): https://cevans-app.appspot.com/static/ff3scriptredirbug.html

Credits

• Filipe Almeida, who was on top of abusing remote script includes to steal simple pieces of information a long long time ago.
• Google - found on Google's time.

CESA-2008-011 - rev 1
Chris Evans
scarybeasts@gmail.com