Page 1 of 1
JAR archive traversal vis SCRIPT src
Posted: Sun Jul 19, 2009 10:50 pm
by .mario
Hi,
I hope this is the right place - I did some testing with JAR files on remote locations and src attributes for script tags. Resulting in this example:
Code: Select all
<script src="jar://sites.google.com/site/jartest00mario/xss.jar!/attack2.js"></script>
[url]jar://sites.google.com/site/jartest00mario/xss.jar!/attack2.js[/url]
'Block JAR remote resources being loaded as documents' was checked during testing. I assume this is not expected behavior.
Used NoScript version: 1.9.5
User Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Greetings,
.mario
Re: JAR archive traversal vis SCRIPT src
Posted: Sun Jul 19, 2009 10:54 pm
by .mario
Same behavior on "V. 1.9.6.2 - Your Friendly Web Cop"
Re: JAR archive traversal vis SCRIPT src
Posted: Sun Jul 19, 2009 11:08 pm
by therube
The first part, heideri.ch, fails, because it requires JavaScript.
If heideri were Allowed, then the script executes.
view-source:
http://sites.google.com/site/jartest00mario/xss.jar
view-source:
http://sites.google.com/site/jartest00m ... attack2.js
I would not expect that to work (like I should know), but it does.
Are you able to put together a minimalized testcase?
So what, the first bug is with jar:, then after that, that NoScript is not blocking the JavaScript.
http://noscript.net/faq#jar
Re: JAR archive traversal vis SCRIPT src
Posted: Mon Jul 20, 2009 7:04 am
by Giorgio Maone
Welcome .mario
.mario wrote:I hope this is the right place
When you're in doubt if it's some sort of vulnerability, my email is a better choice.
If it's an usability bug or a RFE (like in this case), this place is perfect.
.mario wrote:
I did some testing with JAR files on remote locations and src attributes for script tags. Resulting in this example:
Code: Select all
<script src="jar://sites.google.com/site/jartest00mario/xss.jar!/attack2.js"></script>
[...]
'Block JAR remote resources being loaded as documents' was checked during testing. I assume this is not expected behavior.
This is actually the expected behavior, since the "Block JAR remote resources being loaded
as documents" is meant to block
documents, not scripts, and copes with an entirely different kind of potential attack scenario, i.e. a web site you want to XSS allows uploading of JARs but not publishing HTML pages, and you manage to sneak in HTML document inside a JAR and XSS the site.
So there's no NoScript bug here, but however I find Google's liberality with file types a bit disturbing and I can clearly see where you're going.
Therefore I'm considering yours as a RFE to block resources (scripts, CSS, whatever) from within JARs to be imported cross-site.
Re: JAR archive traversal vis SCRIPT src
Posted: Mon Jul 20, 2009 9:23 am
by Giorgio Maone
Re: JAR archive traversal vis SCRIPT src
Posted: Mon Jul 20, 2009 10:25 am
by .mario
Awesome - thx
Re: JAR archive traversal vis SCRIPT src
Posted: Mon Jul 20, 2009 1:16 pm
by therube
So does the JAR menu page need a slight text change?
... documents, scripts & CSS
Anyhow,
just as I Allow heideri.ch, I get an alert from my firewall
.
Like what!
207.46.232.182. Turns out it is Microsft (updates presumably)
.