[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Checking existence of firewalled web servers in Firefox via iframe.onload

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Checking existence of firewalled web servers in Firefox via iframe.onload
From: Georgi Guninski <gguninski@xxxxxxxxx>
Date: Tue, 18 Apr 2023 16:03:04 +0300

In short in Firefox 112, it is possible to check existence
of firewalled web servers. This doesn't work in Chrome and Chromium 112
for me.

If user A has tcp connection to web server B, then in the
following html:

<iframe src="http://B"; onload="load()" onerror="alert('error')" id="i1" />

the javascript function load() will get executed if B serves
valid document to A's browser and will not be executed otherwise.

This work for both http and https, and for http it is allowed
B to be IP address. Under some configurations of Apache2,
it serves http despite having https configured.

In some sense, this is close to nmap via javascript in a browser.

Potential privacy implication is when the attacker guess the
range of firewalled IPs and check them all in a loop.

For online test:
https://j.ludost.net/onload1.html

-- 
guninski:  https://j.ludost.net/resumegg.pdf
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] [CVE-2023-22897] SecurePoint UTM <= 12.2.5 “spcgi.cgi” Remote Memory Contents Information Disclosure
Next by Date: [FD] Checking existence of firewalled URLs via javascript's script.onload
Previous by thread: [FD] [CVE-2023-22897] SecurePoint UTM <= 12.2.5 “spcgi.cgi” Remote Memory Contents Information Disclosure
Next by thread: [FD] Checking existence of firewalled URLs via javascript's script.onload
Index(es):
- Date
- Thread