Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Sage cross-context scripting -> LOCAL-CONTEXT SCRIPTING
From: pagvac <unknown.pentester () gmail com>
Date: Sat, 18 Nov 2006 13:43:28 +0000

Correct me if I'm wrong but the following description from
<http://www.securityfocus.com/bid/19928/discuss> is wrong:

"Attacker-supplied HTML and script code would execute in the context
of the affected website"

Code is NOT executed within the context of the affected site but
rather within LOCAL CONTEXT.

I tested this vulnerability myself, and I can confirm that it allows
you to read arbitrary files from the local filesystem by getting
someone to subscribe to your malicious RSS feed (the feed needs to be
read with Sage Firefox extension). The reason for getting scripting in
the local context is because the feed is stored locally, and then the
injected scripting code is executed.

Furthermore David Kierznowski should also be credited with the
discovery of this vulnerability (in addition to pdp and Kevin
Hamilton):

http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/

Additionally, as an update, there are 2 new cross-context scripting
vulnerabilities found in Sage by David Kierznowski and Rick. Then
again, we have LOCAL CONTEXT SCRIPTING. So forget about restrictions
to running scripts within the context of the vulnerable site:

http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2/
http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2/#comment-1058

Finally, I'd like to make clear that Firefox *doesn't* show any
security warning when executing JavaScript locally (whereas IE
*does*). So when exploiting this cross-context scripting vulnerability
in Sage, Firefox will show NO SECURITY WARNING to the user whatsoever.

More on Firefox not showing security warnings when launching evil HTML
files locally:

http://www.gnucitizen.org/blog/web-pages-from-hell-2/

-- 
pagvac
[http://ikwt.com/]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Sage cross-context scripting -> LOCAL-CONTEXT SCRIPTING pagvac (Nov 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]