Uzbl

Tasklist

FS#25 - Malicious code execution through crafted URI's

Attached to Project: Uzbl
Opened by Anonymous Submitter - 2009-05-31 09:30:19 AM
Last edited by Dieter Plaetinck (Dieter_be) - 2009-06-07 11:43:22 AM
Task Type Bug Report
Category uzbl-core
Status Researching
Assigned To No-one
Operating System Linux
Severity Low
Priority Normal
Reported Version Development
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

It is possible to execute malicious code through special crafted URI's.
The same works if you load the special URI's manually.

Demo:
http://habarnam.ro/uzbl_demo/

A Javascript alert will pop-up with the Oops! text, when webkit will try to display the URL back to the user.
This task depends upon

Comment by Dieter Plaetinck (Dieter_be) - 2009-06-07 11:43:05 AM
Hmm why is this malicious? I mean on a page you can also basically execute any js you want, why is it worse when it's done like this?
Comment by dx (dx) - 2009-06-15 07:28:41 AM
I was considering if this would affect images URLs in forums, for example. But it does not, it's in the uzbl new page handler.

That javascript has less access than a bookmarklet/javascript: url from other browsers, it's a new page instance.
Comment by Dieter Plaetinck (Dieter_be) - 2009-06-20 09:41:09 AM
new page handler: say what?
less access then a bookmarklet/js: so what does this mean? this issue is invalid?
Comment by Brendan Taylor (bct) - 2009-06-26 12:34:24 AM
bob_f pointed out on IRC that it would be a problem if the href could be formed so that the script element would be executed after some site on another domain was loaded.

I don't think that is possible. The script element that is being executed is embedded in the error page that is produced due to the malformed URL (do Inspect Element on the error page to see). This page has the URL about:blank, so I doubt there is any possibility for cross-site scripting.
Comment by Brendan Taylor (bct) - 2009-06-26 12:35:55 AM
Webkit should be escaping the URL that's written to the error page, but I don't think there's anything we can do about that.

Loading...