[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] multiple web browsers, multiple bugs - onUnload and location.href

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] multiple web browsers, multiple bugs - onUnload and location.href
From: Rudolf Polzer <divzero@xxxxxxxxx>
Date: Thu, 22 Jul 2004 12:50:48 +0200

WARNING: please open a new browser instance for it.

Try http://www.informatik.uni-frankfurt.de/~polzer/rbiclan/location

The page is SUPPOSED to prevent going to somewhere else by changing
the URL back in onUnload (even that is already a reason to disable
JavaScript).

The interesting part is: depending on browser, you see different bugs.

Konqueror: an endless loop of alert boxes, seems to have crashed GNOME
(killing konqueror did not make GNOME usable).

Mozilla, Netscape 7 or Firefox: almost works correctly. Except for two
small bugs: View source shows the source of Google or where you TRIED
to go to, while you SEE the unload-trap page. The other bug: when you
close the browser window, onUnload is executed TWICE (you see two
alert boxes, with the number increasing) and the new page is loaded,
but not displayed. But the view-source bug somehow looks suspicious.
Do other parts of Mozilla think it was another website too?

IE (according to someone on IRC, not verified by me): seems to work
perfectly. For one time. Sometimes it goes to google, displays Google,
but shows the www.informatik.uni-frankfurt.de URL in the location bar.
Entering a search expression then uses the wrong domain name. Could
perhaps be used for reading content from "foreign" web sites, didn't
try.

Netscape 4: seems to work perfectly, no view-source bug or similar.
Until you close the browser window, where it becomes an endless alert
loop.

Opera: works perfectly, no bugs found. Except for that this is evil.

Links2: does not support onUnload (good thing!), therefore seems not
to be vulnerable. However, do not expect a browser that crashed on
"var i = 203; ''.charAt(i);" where 203 was a "magic number" and whose
source has variables and comments in Czech only. It took them long to
fix that bug I reported, but at least they finally did it. Even
though, that made me change to w3m.

Except for IE no "big holes" seem to be possible with that. However,
it proves that onUnload is evil (we already know that) and perhaps
shows new, perhaps unknown until now, browser bugs that may lead to
something exploitable. Have fun!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] multiple web browsers, multiple bugs - onUnload and location.href
  - From: Peter Besenbruch

Prev by Date: [Full-Disclosure] Re: OFF TOPIC: antisemitic troll
Next by Date: [Full-Disclosure] XSS in Xitami testssi.ssi
Previous by thread: Re: [Full-Disclosure] Re: OFF TOPIC: antisemitic troll
Next by thread: Re: [Full-Disclosure] multiple web browsers, multiple bugs - onUnload and location.href
Index(es):
- Date
- Thread