Full Disclosure mailing list archives
Re: Bypassing Content-Disposition: attachment for XSS on Chrome/Safari(IOS 6.x)
From: Łukasz Pilorz <lpilorz () gmail com>
Date: Thu, 31 Jul 2014 13:23:44 +0200
Hi Yorick, this is interesting, but as far as I know, since iOS 5 CVE-2011-3426 no longer allows cross-site scripting in Safari: http://support.apple.com/kb/HT4999 "This issue is addressed by loading attachments in an isolated security origin with no access to resources on other sites." While JavaScript is executed, it has no access to the origin of the hosting site, apart from access to location and referrer values. Additionally, Yahoo seems to present this attachment in a separate domain without access to user's session, which also stops practical XSS exploitation. Related test cases: https://ios.browsr-tests.com/alt/downloads.php There are some iOS browsers vulnerable in this case, but in Safari the hosting website will be vulnerable only if it passes session ids or other sensitive data in URLs (location/referrer of the download). Cheers, Lukasz @runicpl
Attached is a screenshot that demonstrates this issue on Yahoo! Mail. Despite
the Content-Disposition header, (HTML) attachments are renderedby Mobile Safari. On 30-07-14 19:01, Securify B.V. wrote: This issue was originally reported as CVE-2011-3426. We can confirm that Mobile Safari on iOS 7.1.2 is still affected. We've reported this to Apple on February 25, 2014. You can test is yourself at: http://www.securify.nl/cve-2011-3426.html This test page sets the following HTTP headers: Content-Disposition: attachment;filename=cve-2011-3426.html Content-Type: application/octet-stream With kind regards, Yorick On di, 2014-07-29 at 15:56 +0800, heige wrote:
Bypassing Content-Disposition: attachment for XSS on
Chrome/Safari(IOS)
by Superhei of KnownSec team (www.knownsec.com) 2013.6.3 Test Environment ipad(ios 6.1.3) Chrome(26.0.1410.53) This code is downloader for attachment which is a HTML file. <?php //down.php header("Content-Type:text/plain"); //header("Content-Type:text/html"); header("Content-Disposition: attachment; filename=\"test.html\""); echo "<html><script>alert(1)</script></html>"; ?>
On IOS , when Chrome/Safari visit the down.php, the HTML code will be
running.Ofcourse, including the javascript and led to cross-site scripting attacks.
from http://www.80vul.com/apple.txt
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: Bypassing Content-Disposition: attachment for XSS on Chrome/Safari(IOS 6.x) Securify B.V. (Jul 30)
- Re: Bypassing Content-Disposition: attachment for XSS on Chrome/Safari(IOS 6.x) Securify B.V. (Jul 30)
- <Possible follow-ups>
- Re: Bypassing Content-Disposition: attachment for XSS on Chrome/Safari(IOS 6.x) Łukasz Pilorz (Jul 31)