Firefox UTF-7 Universal XSS
Update 24 Sep 08: Seems fixed in Firefox 3.0.2, with
https://bugzilla.mozilla.org/show_bug.cgi?id=441876
Demo, to accompany my message:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/058814.html
See also:
https://bugzilla.mozilla.org/show_bug.cgi?id=408457
https://bugzilla.mozilla.org/show_bug.cgi?id=406777
https://bugzilla.mozilla.org/show_bug.cgi?id=356280
http://www.mozilla.org/security/announce/2007/mfsa2007-02.html
http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/058752.html
Need to manually select View Encoding to UTF-7:
then the frame inherits the encoding from this page,
even though the frame had correctly specified its own.
To trick user into selecting UTF-7, should say something like:
Due to a bug in Firefox, the following may not display correctly.
If you cannot read the message below, then please
go to View CharacterEncoding and select UTF-7.
+AEc-+AG8-+AHQ-+AGM-+AGg-+AGE-+ACE-
If you do select UTF-7, then you will see a JS popup with your
google/gmail cookies. Similar attacks would work against
practically any website, both http and https (chose gmail
at random, and apologize to them).
Of course we could have used <iframe style='display:none'>
to do "silently", and actions nastier than an alert().
Paul Szabo
psz@maths.usyd.edu.au
24 Sep 08