AOH :: HP Unsorted S :: B06-5869.HTM

Sage cross-context scripting -> LOCAL-CONTEXT SCRIPTING



Sage cross-context scripting -> LOCAL-CONTEXT SCRIPTING
Sage cross-context scripting -> LOCAL-CONTEXT SCRIPTING



Correct me if I'm wrong but the following description from
 is wrong: 

"Attacker-supplied HTML and script code would execute in the context
of the affected website"

Code is NOT executed within the context of the affected site but
rather within LOCAL CONTEXT.

I tested this vulnerability myself, and I can confirm that it allows
you to read arbitrary files from the local filesystem by getting
someone to subscribe to your malicious RSS feed (the feed needs to be
read with Sage Firefox extension). The reason for getting scripting in
the local context is because the feed is stored locally, and then the
injected scripting code is executed.

Furthermore David Kierznowski should also be credited with the
discovery of this vulnerability (in addition to pdp and Kevin
Hamilton):

http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/ 

Additionally, as an update, there are 2 new cross-context scripting
vulnerabilities found in Sage by David Kierznowski and Rick. Then
again, we have LOCAL CONTEXT SCRIPTING. So forget about restrictions
to running scripts within the context of the vulnerable site:

http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2/ 
http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2/#comment-1058 

Finally, I'd like to make clear that Firefox *doesn't* show any
security warning when executing JavaScript locally (whereas IE
*does*). So when exploiting this cross-context scripting vulnerability
in Sage, Firefox will show NO SECURITY WARNING to the user whatsoever.

More on Firefox not showing security warnings when launching evil HTML
files locally:

http://www.gnucitizen.org/blog/web-pages-from-hell-2/ 

-- 
pagvac
[http://ikwt.com/] 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.