Slashdot Mirror
New Vulnerability Affects All Browsers
Jimmy writes "Secunia is reported about a new vulnerability, which affects all browsers. It allows a malicious web site to "hi-jack" pop-up windows, which could have been opened by e.g. a your bank or an online shop. Here is a demonstration of the vulnerability"
With Firefox 1.0. I suspect it may have something to do with Tab Browser Extensions.
Thank goodness we've found our first vulnerability in Firefox. Now we can move from the myth that free software is impervious to exploits, and into the reality that vulnerabilities are acknowleged and patched faster in most free software projects. Gentlemen, synchronize your watches. Will the Firefox team have a fix out before Microsoft even admits it's a bug?
I am running Firefox 1.0. I tried the link that said 'With Pop-up Blocker', and it displayed a dialog saying that I did not have a pop-up blocker.
I refreshed the page, and tried the link that said 'Without Pop-up Blocker'. It opened up the Citibank website, but it did not hijack my Citibank popup window.
Same thing happened to me under IE6 (except I did not get the dialog when I clicked on the 'With Pop-up Blocker' link).
Maybe it works under certain circumstances, but I couldn't reproduce it.
Move along....
/.!
Looks like they hijacked my
I'm sure the Moz team will have a fix out soon, but I seriously doubt Microsoft will have one out fast enough for us poor slobs that have networks full of stupid users who use IE (sorry, Moz won't cut it unless you can manage it with Group Policies...)
A friend of mine tried it with a 1.0 preview build of firefox on his hpux workstation. It opened two windows instead of one -- one window was sized correctly and had the bank's designated content, the second window was the same size as a regular browser window and it had the phishing content in it. I think he said he reported their phishing failure to secunia, but I doubt they'd change their story, it would be a lot less sexy.
Anyone else have a build of firefox that wasn't really fooled?
When information is power, privacy is freedom.
Jimmy writes "Secunia is reported about a new vulnerability"
And in other news, Slashdot is reported all about a new grammatical error in the headlines.
Reporting anyone?
Indy Media Watch-Proctologist of the Internet
I opened Secunia, Then open another browser window to Citibank via Ctrl+N, and click on Citybank's Consumer Alert button, nothing happened.
But if I used the link from Secunia to access Citybank, the Popup is then hijacked.
So it seems like you need to access (click on a link to) your trusted site via an untrusted site to get hijacked?
Rock that crushes, Paper & Scissors that don't matter.
I am using Safari 1.2.4 (v125.12) and I don't get the Secunia pop up.
-- To mess up an OS X box, you need to work at it; to mess up your Windows box, you just need to work on it.--
The spoof stick extension for Firefox and Internet explorer
mac os x 10.3.6... running safari 1.2.4 (the latest build.)
or use auto-update feature
Well, that's one alert I'm safe from. Whew.
US Democracy:The best person for the job (among These pre-selected choices...)
before this is patched for the various browsers? Has there ever been a concurrent hit like this in the past? This may be a rare oppurtunity to 'benchmark' the various orginizations' responsiveness.
Another question...is this something that can even be patched browser-side? And if so, how could it be that *none* of them saw this coming?
the demo come up blank. all i see is a window called (Untitled) (and the globe spins then dies)
I tried the test in Safari 1.2.4 under Mac OS X 10.3.6. I had pop-ups blocked, the normal way I set my browser. Doing the test, I saw the Citibank site fine. When I clicked on the "Consumer Alert" button, it looked like the regular Citibank content. No problem there. I refreshed and clicked on the other "try this test" link, and there still was no problem.
When I turned off the pop-up blocking feature, then when I tried the test, I did see a pop-up from the Secunia site instead of the Citibank text. Now that's a problem.
Clearly, this is just another reason to block pop-up windows.
Insert simplistic political, ideological, or personal proselytization here.
Comment removed based on user account deletion
Firefox prevented this site from opening 219 popup windows
Mozilla 1.7.3 no problem
Of course, this also means that a huge amount of programmers can look at the code to find a bug to write a patch to release it to the public.
The bottom line: I switched everyone I know to Firefox nearly six months ago, and haven't had to do a single Malware clean yet.
UTF-8: There and Back Again
Absolutely nothing happened using Safri.
None here on version 1.2.4
T Money
World Domination with a plastic spoon since 1984
You must be new here.
File under 'M' for 'Manic ranting'
I reproduced this successfully on Firefox 1.0 under Linux.
You think there's any irony in a browser exploit page going down in a Slashdot attack?
It would be cool if it didn't suck.
Well, it didn't affect irider, which is IE-based, presumably because it opens popups in its own (excellent) 'tree-tab' system.
I just tried the demonstration in the latest version of Safari.
I just don't believe it. Anything -- even an exploit -- working in all browsers would be unprecedented!
An earlier post said they had firefox 1.0 and the "with popup blocker" link didn't work for them, but the "without popup blocker" linked opened but didn't hijack the site.
I tried the "with popup blocker" link, it opened a new window, but didn't hijack the window away from citibank.com
I guess I don't have to worry about it.
It's a vulnerability, but it's the correct behaviour. Browsers should open the window in the target pop-up window, even if the page opening the page does not own that window, as I recall. As they say, that's no bug...
Since when has this country used intellectual elite as a pejorative term?
Jimmy is terrible at writing.
looks like by all browsers, they mean the browsers they actually bothered to test, of course they still wrote up a security vul. sheet for firefox... Idiots.
You open your online banking messages to find...
Good day,
I am Isaac Shongwe, Prescient Investment, South Africa. This is an
urgent and confidential business proposition...
This only worked for me when I left-clicked, like they said. I'm so used to FireFox now that it was second nature for me to open the Citibank site in a new tab, and the exploit failed to work then.
--- Bwah?
Doesn't seem to work for me on a recent nightly build of Camino.
Comment removed based on user account deletion
I had Javascript enabled, which is probably necessary. It compromised a pop-up-blocked Galeon 1.3.18 window just fine. You guys reporting invulnerability, do you have Javascript on?
and says I dont have a pop up blocker. uh. sure.
and you dont have 1337 hacking skilz either
arent these people trolling for business with these stories ?
trying to scare people and then sell them services
maybe when its independently verified I will worry
i did it using safari, got citibank, i have no account but was able to transfer $100 million into an offshore account. That was some test
Anyone seen my jagged little pill?
I must be doing something wrong? I'm using OmniWeb and also proxied through Privoxy (pop-up blocking implemented in both).
.. uh, I have TWO actually. But never mind that. Dismiss the alert, and I then click on the "Consumer Alert" graphic and
:^)
I clicked the link for folks WITH a pop-up blocker, and the citibank page opened in a new window, and a javascript alert appeared that reads "You do not
have a pop-up blocker enabled"
absolutely nothing happens.
Okay actually, OmniWeb showed a blocked pop-up in the *Secunia* window, behind the citibank window. Odd. Let's see what that window is.
Okay, it's the citibank pop-up aobut "spoofs". No message from Secunia. So I guess I'm not vulnerable this way.
Now I close the citibank window and reload the secunia window to try the "WITHOUT pop-up blocker" link. Again, the citibank page opens in another
window. I click on the "Consumer Alert" graphic.
This time, the content of the Secunia window is *replaced* with the citibank pop-up (back button disabled, because it replaced the contents, and I opened
the original secunia link in a new window so it doesn't have slashdot in the history either). And no pop-op indicator, no message from Secunia.
So does that mean I'm not vulnerable? Is it OmniWeb or is it privoxy that's "protecting" me?
Note: It also doesn't work in Lynx, my other favorite browser.
Camino 0.8.1 (Build 2004082512) on X 10.3.6 (without the latest security patch) displays the Citibank page. Safari 1.2.4 (v125.11) is just giving me a blank page (although that could be the ./ Effect; the site got noticeably slower in the time it took me to launch Safari and try it out). Ooo-rah OS X!
Facts do not cease to exist because they are ignored. - Aldous Huxley
The only thing that happened when I did their test for pop-up blockers with Firefox is FF kept telling me it was blocking a huge amounf of pop-ups.
Safari 1.2.4 seemed to past there test. No vulnerability there.
I really don't consider this a vulnerability as much as a form of social engineering / taking advantage of the stupid. Similar to phishing - you don't see someone saying that phishing scams are a mail client vulnerability.
Don't Tread on Me
The first since 1.0 maybe, but certainly not the first outright.
As far as I can tell the problem is fixed in the latest Opera beta so they might be able to get it into a proper release pretty soon too.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Firefox 1.0 on Red Hat FC3. I followed the instructions and clicked on "Test With Pop up Blocker" and I received the phishing pop up. Very interesting.
Just tried it with Konqueror 3.1.3 (on Linux, duh), and didn't get the "exploit" behavior--just got a new window with the CitiBank stuff. Tried both "with pop-up blocker" and "without pop-up blocker" methods, and was not able to reproduce the behavior.
Your Friend,
D
but they really need to work on their instructions. it's not really clear that step two has to happen before you can click the image shown in step one... the instructions for step one make it sound like the window will open automatically.
I have discovered a truly remarkable proof which this margin is too small to contain.
Please note. If you wish to run the test multiple times, then please refresh this page before each test.
"It's not working, maybe I'll refresh" *refresh* "nope, still nothing" *refresh*.
Multiply that by Slashdot...
I don't get it.. I can't get it to work in Safari 1.2.4. Is my browser broken, and by broken I mean fixed.
"Secunia Research has reported a vulnerability, which affects most browsers."
The first damn line of the vulnerability test page says MOST, not ALL browsers.
Firefox 1.0, Gentoo
You have to do as you are told and click on the Fradulent warning image too. Try it again, it does work.
Spine World
Who doesn't block pop-ups?
I'll call my mom and dad right now. Does it affect AOL version 3.0?
Best Quote, "Do not browse untrusted sites while browsing trusted sites."
I tried out the test, but when I normally browse I open up new sites in Tabs, when doing this the test failed.
I went back to try the test out again, but this time opened up citibank website in a new window, and it was hijacked.
I would call that an interesting tidbit with FireFox.
...aw.
The links to Citibank from the Secunia site are actually handled by JavaScript. The script sets a timer, then opens citibank. Every second or so, Secunia's script then checks whether you've opened Citibank's pop-up. If you have, it opens a window with the same name (i.e. variable name) as Citibank's window, thus overwriting their content.
So the attacker doesn't need you to click on anything, they just need you to have their site open -- with the timer going -- in another window. Also, the attacker needs to know in advance what name the victim site's pop-up is referenced by. A dynamically generated name could possibly defeat this attack, though the attacker could always crawl the DOM for a handle to the pop-up.
Vino, gyno, and techno -Bruce Sterling
I remember not to long ago this same exploit. Same thing, affected all browsers. Was fixed by Firefox not too long after.
Guess the exploit has been updated, or the exploit was accidently created again by the Mozilla team.
Clicking on the second link opened up a new window and sent me to citibank, and the window that formerly contained the vulnerability test links now contained a "results" page that, at least as much as I understood, was supposed to be opened up in a new popup window. But the only popup window I got was the one to the bank, as per expected.
File under 'M' for 'Manic ranting'
FF 1.0 on Win2K.
Middle-click to open citibank page in new tab YOU WILL NOT BE VULNERABLE.
Left click and allow citibank page to open in new window YOU WILL BE VULNERABLE.
At least, that's the behaviour I see on this box.
First time I tried it it timed out, second time, it showed the Citibank page. A few other times, showed the Citibank page. One time it did actually show Secunia's crap. Subsiquent tries, show Citibank's site.
Firefox 1.0 Windows XP.
Tried a few times and nothing.
Well it does not affect Lynx :)
This bug doesn't seem to affect Firefox with the SingleWindow extension installed.
Go Team GO!
This all boils down to a Javascript vulnerability.
If web masters would stop NEEDLESSLY using Javascript to do things like open new windows, and would use it ONLY when there is no way using HTML to accomplish the same goal, then people would not need to have Javascript active all the time, and the impact of exploits like this would be greatly reduced.
If, instead of using <a href="#" onclick="foo"> or <a href="javascript(foo)"> type constructs, web designers would use <a target="_blank" href="something.html" onclick="javascript(stuff)"> type constructs, then if the user HAS Javascript active, then the web master can micromanage the newly created window. If not, then the user STILL gets a new window, just not one that the web master can remove all the chrome from.
Seriously - when was the last time you heard of an exploit that used straight HTML? All of the recent exploits in ALL browsers, IE included, have been in either Javascript or Active-X, not in the core HTML rendering.
There is a REASON for that.
www.eFax.com are spammers
Using Firefox 1.0.
I followed the appropriate links allowing cookies to be placed by citibank. The window was indeed hijacked.
I then followed the same links but this time not allowing citibank to place any cookies. The window was not hi-jacked.
Be aware of what/who is placing cookies on your machine!
I just don't believe it. Anything -- even an exploit -- working in all browsers would be unprecedented!
Lynx appears to be unaffected.
The affected page isn't loading up at all!
Oh wait...
Well, it's a simple enough trick. The Citibank popup window has a name, called 'spoofing'. After clicking on the "Open Citibank Website" at the Secunia site, a script loops waiting for the existence of the window called 'spoofing', and when it finds it, it tells it to load a different site. Guess it's not exactly a programming error, but just lax security, allowing a different window to grab another window's variable.
I guess a patch would involve warning the user that the the pop-up is being controlled by an external window.
What time is it/will be over there? Check with my iPhone app!
I didn't get the behavior that they were talking about using Safari 1.2.4 on OS X 10.3.6 but I am glad to hear about this since it sounds more like a short-coming in how pop-ups are defined to work rather than just a bug. Hopefully this will become a reason for sites to realize the HTML forms work more reliably than pop-ups and aren't so annoying to users.
Security is always used a way to confuse those who don't understand it and scare them into doing something else. Let's hope that this actually makes something good happen for once.
I tried the exploit in Firefox 1.0pr without the exploit working. So I thought I'd try it in IE, so from the Secunia.com page loaded within Firefox "Right Click > Open Link Target in IE" I go and once again, poof... not working. Finally I loaded the Secunia.com page in IE, then clicked the link and only then did the exploit work.
So there you have it... Firefox seems to protect IE from this exploit, how funny is that!?
"1984" was ment to be a warning, not a guidebook. You hear that Kim Jong-il!? BushCo?!
so is Citibank paying Secunia fat wads of cahs for being used in every one of their vulnerability demonstrations or what?
Comment removed based on user account deletion
I tried both links in Konq, and neither of them hijacked it.
Anyone got this to work with Konq?
If a first you don't succeed, your a programmer...
... I followed the instructions exactly and this vulnerability doesn't work in my copy of Firefox 1.0. I got the Citibank popup and not the window with text from Secunia.
I guess I am safe, for now.
Registered Linux User
Registered KDE User
First of all, the malicious page must be opened, and remain open. Once a second, it will check for a window with the same name as the one it is trying to take over. If it exists, it will re-write the page it is loading.
Ways to defeat it:
This is really just another case of a "security" firm beating up something that has existed for ages as a "flaw".
Konqueror 3.3.1 with smart pop-up blocking. I'm not sure if that changes anything, but their example didn't work here. Maybe it only works on 3.2.x series and previous?
// file: mice.h
#include "frickin_lasers.h"
I did it on Firefox for Windows first, so I'm pretty sure I did it right.
Looks like Safari is not vulnerable.
But I guess in the defense of the authors, it isn't exactly a major part of the browser market.
I think the 'all browsers' is a bit presumptuous... since the exploit is based on popup windows, browsers like lynx, links, w3m, telnet, your-favorite-lack-of-popup-windows-browser, cannot be susceptible to it.
So I'm inclined to say that it not only *would* be unprecedented, it still is.
Let S_n = {nst+us+vt : s,t in Z \ {0}, u,v in {-1,1}}. For all n in Z where |n| > 2, Z \ S_n is infinite... right?
Konqueror 3.2.3
Might this be a DOM related issue?
I'm not up that much on DOM, but shouldn't a parent web page be able to modify the contents of a popup window?
> when was the last time you heard of an exploit that used straight HTML?
There's apparently a number of known ways you can crash Firefox with malformed HTML tags.
Interesting point, I would also have to Javascript is much more then a pain for more reasons. I have always hated the fact Javascript used by a developer would only work with IE and not my Mozilla browser.
Web Developers, time to wise up, not just for my sake, but as the above poster has shown for security sake.
The prime vunerability here (not that they're kind enough to tell you) is that the trusted site opens a popup window with a known name (in this case, Citibank opens a window named 'spoofing'). The malicious page keeps checking for the existence of a window with this name and if it exists, the malicious code stuffs their own url in there instead.
One way to fix this would be to only let a popup be modified or accessed by code that originated from the same domain as the code that opened the popup int e first place.
Another way for site-owners to protect their sites is to either spawn all new popups with a name of '_new' or, if your site needs to access that popup repeatedly after it's created, to generate a random number on the server side, set a cookie on the client's browser, and use that cookie value as the window name. Whenever you need to access the window again, grab the cookie value that only code from your own domain will have access to.
The vulnerability here is that the attacker knows Citibank 'names' that popup "spoofing". If the attacker doesn't know the name of the popup, then the exploit doesn't work.
Kevin Fox
I'm using Firefox 0.8 (I haven't gotten around to updating).
I used the Secunia link in two ways, the first by allowing a new window to be opened up by Secunia when I clicked on the link to citibank. This allowed Secunia to hijack the "popup".
The second way was to open the link in a new tab (via middle mouse click for me). This did not allow Secunia to hijack the "popup", even though the link originated at Secunia.
Target names should only exist within the namespace of the site that created them.
Site A should be able to create and interact with a window named "popup".
Site B should be able to create and interact with a window named "popup".
This should happen without either site interfering, blocking or overwriting the other. They should simply be invisible to each other, existing in completely seperate little worlds.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
What about Lynx?
No vulnerability here. I clicked on both links and Citibank shows just fine. I am running ZoneAlarm as well but I don't think is the reason the vuln doesn't work.
I tried it without pop-up blocking on at all, and it did work. I guess Konqueror is more secure with smart pop-up blocking.
// file: mice.h
#include "frickin_lasers.h"
why not? HTML works on all browsers - so a simple exploit theoretically (maybe factually) could exist.
If we can just do to all the sites that exploit this what we did to the demonstration site, then this shouldn't be much of a problem.
Every time you post an article on Slashdot, I kill a server. Think of the servers!
Comment removed based on user account deletion
Headline: New Vulnerability Affects All Browsers
*SIGH* when are all those...um...browser users going to realize that they should just switch to...umm...no...other browser?
I mean, don't they get sick of...all...their browsers getting...I mean....hmmm
Huh.
Here's a vulnerability that works in ALL browsers. It's a DoS attack.
while(1)
{ alert('doh!'); }
i have pop-up blocker on, running latest firefox on linux. tried appropriate link and got their warning message. for science/giggles i tried the "without pop-up blocker" link and i got the regular citibank message.
If it affects this many browsers, it's most likely a security bug in some standard. It could be something in HTML or ECMAScript (a.k.a. JavaScript/JScript). The only other possible explanation is that they all use the same code.
// file: mice.h
#include "frickin_lasers.h"
"...Here is a demonstration of the vulnerability"
Uhhh yeah right buddy. Maybe next time you should be a little more stealth in trying to hack an unsuspecting user.
If you think
safari 1.2.4 seems to be working normally, i didn't see anything that resembled a vulnerability to me, so i guess it's one of those things apple users get to be safe from again while we sit back and enjoy the havoc that everyone else deals with?
Citibank seems be going quite slowly ... maybe it is being /.ed ?
Or maybe it is part of an evil plan to DOS their site ?
Did anyone read the report on this, the solutions is ammusing.
Solution:
Do not browse untrusted sites while browsing trusted sites.
You do get wierd behaviour if you don't follow them. It's a fairly 'fragile' example.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
'Nuff said.
"You can't screw the system, but you can give it a good fondling." -- Too lazy to look it up
Seems to be in bugzilla.mozilla.org as defect 273699. (Direct link wouldn't work anyway.)
Comment removed based on user account deletion
And people laugh at me for using lynx...
A new virus has been released that allows malicious hackers to steal your credit card number. Click here for a demonstration.
Okay - it does work. I am an idiot and can't follow instructions. :)
Requires the clicking on the citibank link
Of course, I happened to have A LOT of popup alerts ("Firefox prevented a popup BLAH") in my top-bar. Like a hundred :-o
I *guess* the vulnerability DID work in Mozilla because AFAIK... Mozilla doesn't have Firefox's popup blocker... yet.
finally people are coding to standards!
[alk]
Don't access your Bank Account from imgonnastealallyourfunds.co.us.kr.fr.ca
How do you get Java to work with Lynx?
Konqueror appeared to work correctly for me. Did anyone else have a problem with it?
I'm running kde 3.3.1.
And here's why:
It only works if you open the link from their site. So yeah, if they control the session they can do what they want, OMGWTFBBQ duh!
Easy test to prove this:
1 - Open CitiBank with their link and be horrified.
2 - Now, leaving their windows open, open a new browser window and go to exactly the same URL, and hey presto - it doesn't work!
So yeah, it's a cute trick, but I wouldn't be wetting my pants over it...
You insensitive clod -- that was _my_ account, thank you very much. And yes, I have a Citibank account. Well, HAD. :)
... it too would be vulnerable. Who allows pop-ups anymore? Oh yeah, IE users.
Safari with Block Pop-Up Windows (Command-K) turned ON and this hack simply does not work (using tabbed browsing _if_ that matters). Allowing pop-ups and sure enough
Why bother guessing the name of the pop up? Just create a NEW pop up with that LOOKS like the target site. Obviously the user had pop ups enabled anyway right. They dont seem able to access preexisting content in the target pop up.
This vulnerability is not worth fixing. I dont see how a "fix" would be effective.
The "name" of a window should only be visible to pages in the same domain. This should be a fairly simple one to fix, just prepend the name of the domain that created the frame to the internal name assigned to the frame / window. Then multiple sites can have a frame called "pictures" or "details" without this kind of conflict.
I've also thought previously that the name of the frame could be used in cross site scripting as a way of passing information between sites.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Okay - finally learnt to read the instructions :)
It does work, and I will crawl off into a corner and hit myself around with a Clue-stick. It was a temporary PEBKAC error and nothing more.
As far as I can see the W3C doesn't go anywhere near touching this stuff, it's outside the scope of what they do.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
"Kinda like walking back and forth through a bad neighborhood while counting your cash."
Whew! Thank God, I'm unemployed. Talk about dodging the bullet.
Opera 7.11 on WIN2000 (older version, it's what i have at work) opens the CTI site and the spoof in separate windows, with or without popup disabler. I have to check it with newer versions though, i will when i get home.
Ignore my post - I have problems reading and following directions... as do most other /.ers here apparently :)
Yes, it does work as advertised, even on Safari. So it is a vulnerability.
You're right. lynx is not affected.
One way to avoid these types of attacks is to isolate your security sensitive browser sessions.
So, you might have a browser installation dedicated for your realtime brokerage account/banking and another for general surfing.
Ideally, these would even run under different user IDs.
Modern browsers are large and complex. As such, they will always be a security problem. Isolating them seems like a decent solution.
All browsers? Except Firefox? and according to posts below- IE6 not effected either?
What all browsers exactly are these? Netscape 2.1?
-- 'The' Lord and Master Bitman On High, Master Of All
Amusingly though, the silly .WAV file sound clip I have Moz configured to play when it blocks a popup went berserk as soon as I clicked on the "With popup blocker" link - it's about 4 seconds long but I got an endless repetition of the first half-second, so it sounded like a CD that's got stuck, and it was very obvious that something was wrong. I guess that was the Secunia page's Javascript looping waiting for the popup window to appear.
Also, I confirm another poster's assertion just now : this only seems to work if you use a link on the malicious webserver to open a window on the Citibank site. If you open Citibank by typing the URL into a pre-existing window the problem doesn't occur, and the normal Citibank anti-phishing advice appears in the requested popup window.
If you don't pray in my school, I won't think in your church.
Come on .. let's say they "fixed" this .. why cant an evil site just create a NORMAL pop up that looks similar to the citibank pop up? All they seem able to do is inject content.
Ah well, knew my links wouldn't hold up forever....
Just tried - Camino 0.8.2 on OS X 10.3.6 IS vulnerable.
All browsers 'eh? Firefox 1.0 with std. settings didn't get effected?
This should go great with Firefox's big billboard ad =)
"If any question why we died, Tell them because our fathers lied."
Firefox prevented this site from opening 764 popup windows.
You know, I think I'd get the idea after the first few hundred popups, Secunia...
Interestingly, the vulnerability doesn't seem to work if you open the Citibank link in a new tab instead of a new window.
My lynx browsing is totally unaffected.
Molls and trolls, molls and trolls... There is more to the web than formatted content. Dynamic websites have been a must to attract hits since 1998. Facts of life, deal with it.
It works under firefox under Linux (Fedora Core 3 FWIW).
It's not really a bug, but a clever use of standards to mislead. It relies on JavaScript and popup windows (though it works fine with "good" popups, which Firefox and Mozailla allow).
This bug is probably best addressed by some small fixes from the browser vendors for the short-term, but with a re-evaluation of JavaScript and HTML to guard against social engineering by the standards bodies.
Which one of the affected browsers is the first to fix this?
According to MozillaNews the following work around can be applied to Mozilla/Firefox:
1. Enter about:config in the Location Bar.
2. Enter dom.disable_window_open_feature.location in the filter field.
3. Right-click (Ctrl+click on Mac OS) the preference option and choose Toggle (the value should change to true).
This issue is already being worked on bug 273699 (copy link location, paste) filed a few hours ago.
As a side note, being able to see the bug fixing progress unfold is one of the many reasons why i love open source. I am able to learn so much from just seeing the process take place from start to finish, how it is reported, test cases created, problems that arise, insights into other parts of the system, who the people involved are, reviews, patches, etc.
[alk]
Example: Sites that pop up their "main" window from their "entry tunnel." Exactly what justification do you have for thinking I still need to view your entry tunnel?
Example: (as mentioned,) sites that use Javascript to open windows. Granted, this practice came around before Opera/Mozilla introduced us to the wonders of tabbed browsing, but what's the point of pulling up a "diversionary" window and forcing the user to close it? Afraid they might not understand the concept of the "back" button?
Example: using flash/java/shockwave/etc to perform functions that could be handled in HTML, especially now that we have DHTML. I have trouble with understanding the argument "we will be more successful if we deny access to some percentage of the population."
etc etc etc.IMHO, this is a symptom of the problem where people assume "everyone else thinks / acts / behaves in the same way I do."
and don't go to your bank's site without shutting your browser down first. Every window.
If you're accessing an account with a lot of money, reboot the computer first.
Common sense.
(And one of the reasons I hate Microsoft -- they keep pushing everybody to behave like this sort of thing can't happen. It ain't ready for prime time yet.)
Here is a demonstration of the vulnerability"
Doesn't affect me, since I can't get to the demonstration page. The Slashdot effect is protecting my browser.
Don't bother fighting. Slashdot will never stop being on the insightful vanguard of 1993 technology.
Whenever I hear the word 'Innovation', I reach for my pistol.
way to sensationalize there, weekly world slashdot!
where do these "security companies" come from? there's like a new one every month...
did any one notice this?
The vulnerability demonstartion worked
only once on my mozilla browser.
without restarting secunia.com if you agin click
on the vulnerability test for pop up injection
citibank correctly opens the citibank popup.
i guess this is because the timer expires
after we click on the link once.
after that it has no idea when we will click on the link again
In related news, they've just discovered a new vulnerability that affects all servers. It's called Slashdot.
I'm using Konqueror and cannot figure out a way to get the vulnerability to work. Perhaps Konq is immune?
I think that whoever made up this vulnerability needed to do more testing first. I'm in Firefox 1.0 on Mandrake linux 10.1.
No problems here.
I'm using Opera 7.54 for windows, and the "With Pop-up blocker" link worked flawlessly for me. However, the no pop up viewer one didn't. Looks like this method is kind of hit and miss when it comes to browsers.
Oh well, Opera users don't get to feel left out now!
More to my preference, don't target new windows. I do my browsing in one window, and I hate when clicking a link opens a new one. If I want a new window, I will ask for it. (Besides that, I never want a new window. I have tabs. If I want a new tab, I will ask for that.) I've disabled target=blank, but javascript will still open new windows. Worse, I can't shove the damn thing back into my real browser session without cutting and pasting the URL, where target=blank can be put into the current session with a middle or right click.
To Do: Write plugin to redirect target=blank to a new tab.
Write a plugin to flame the webmaster of the current website on a button click. Maybe a few checkboxes to select [poor standards compliance/opened windows I don't want/Excessive use of Javascript/whatever]
Well since the target attribute of the anchor link is not part of the XHTML 1.1 Strict standard, web developers who *are* actually concerned about standards are required to use Javascript to perform the pop-up behavior. By using standards-based design and manipulating the DOM via Javascript, we can accomplish anything. No need for clunky the "onclick" or even the outdated "target" attributes.
Thank you Mr. Obvious...
You've never actually tried to get a web page looking the same in all browsers, have you :)
Cheers.
I read that the following Javascript code is sufficient to cause a crash in many Javascript-enabled browsers (Lynx need not apply, and you will need to turn on Javascript to have any chance to see this work):
Copy that into a text file, open it with your favorite web browsers and be prepared to lose work.
But I'm having odd results in two copies of Firefox 1.0. In my installation of Firefox 1.0 (from Fedora Core 3, fully updated) I get a prompt that lets me cancel running the scripts (I get prompted once per SCRIPT element). Running Firefox 1.0 from mozilla.org on Fedora Core 2 (again, fully updated) the browser quickly crashes.
Any hints as to why one Firefox is crashing and the other not? I'm guessing that there is a Javascript execution timeout setting I could adjust with about:config in the FC2 Firefox 1.0 which crashes? If so, which settings are relevant?
Thanks.
Digital Citizen
Not Vulnerable.
I have all the 'advanced' javascript options turned off except the 'images' one.
"You do not support the root but the root supports you." - Romans 11:18
So they are all vulnerable?
Let the race to see who fixes first begin. Any bets on who fixes it first?
This is the same as being able to open a new window .. its honestly not a major security exploit.
There is a striking resemblence to the cross-browser "vulnerability" discovered by the same group a few months ago.
Remember this?
Looks like they tweaked their Javascript to take advantage of a similar problem with the Javascript model.
Unfortunately, this is not Strict XHTML 1.0 compliant. The XHTML Strict 1.0 manner of doing the same thing is much more complicated.
// file: mice.h
#include "frickin_lasers.h"
You need to cite which version of firefox. I have FF 1.0 (not the PR release), and secunia's site couldn't even tell that I had the popup blocker in firefox turned on, much less do anything malicious with the citibank popup.
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
Just fer the record.
Firefox, Mozilla, Opera 7.54, and IE all give me the same results:
The ORIGINAL window that came from secunia.com, opens to what citibank is trying to show in the popup, while no new window opens. Hmm.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
Uh, I guess the Subject covers it.
is vulnerable.
If, instead of using <a href="#" onclick="foo"> or <a href="javascript(foo)"> type constructs, web designers would use <a target="_blank" href="something.html" onclick="javascript(stuff)"> type constructs, then if the user HAS Javascript active, then the web master can micromanage the newly created window. If not, then the user STILL gets a new window, just not one that the web master can remove all the chrome from.
Sorry, this is incorrect. For better or worse, according to the W3C, opening windows via JavaScript is the only proper way to create new windows. In fact, the target attribute has been removed from standard HTML since at least HTML 4.01 strict.
If you remove the target="_blank" from your second example, you'd actually be doing it right. In this case -as you said- the user would get to the new link regardless. If they had JavaScript turned on, they would get whatever niceness the web developer wanted. If not, they would just get the raw page.
David
I only use javascript to add functionality, un-clutter interfaces and do client-side validations. Why should I have to put up with having to NEEDLESSLY remove functionality because of BUGGY IMPLIMENTATIONS.
This is a joke. I am joking. Joke joke joke.
The Spoofstick extension clearly shows that the popup is from the Secunia site, not a site controlled by Citi.
LOL! I suppose I should change my /. password now, just in case Secunia's proof of concept had a more-than-friendly bit of code in it.
I'm running 1.0. Sorry I thought that was a given.
I cannot get the exploit to work on my machine using Konqueror. Perhaps it is the pop-up blocking or security settings (Very tightly set - javascript was enabled, but only because citibank and the exploit site requires it to work).
MozillaNews has a post describing how to unconditionally turn on the location bar in a window. This reveals that the popup comes from Secunia.com (Having the Spoofstick extension for Firefox also reveals the originating site. Also the Mozilla bug number is 273699.
In a sense, the whole *point* of standards bodies is social engineering.
(Yes, I know what you meant - but since this article is currently headed by a grammar flame I couldn't resist.)
I decided that behaving ethically was the most nihilistic thing I could do. - Paul Pavel
That's why I use iFrame popup instead of window popups. With popup blockers already appearing built into browsers, I'm assuming that they will be standard everywhere soon.
With scripting, you can make iFrames draggable, closeable and behave and look just like regular windows but they are, in essence, windows within a window and are tied closely to the current browser.
There are reasons to have popups like, for example, color or date pickers (with a calendar). It is actually much easier to build a draggable DIV than a draggable iFrame but the draggable DIV doesn't show up on top of certain HTML elements and hence becomes useless (even with an infinitely high z-index).
By the way, you can get draggable iFrames to work in both MSIE and Mozilla. I just bought my iMac for testing but I'm pretty sure I can get it to work in the mac versions too as they all have the necessary language and DHTML components. All I can say though is that JavaScript and DHTML are definitely vendor dependant, and I don't care if you are mozilla or Apple or Microsoft, they ALL have quirks and bugs that go outside of the specifications. In many ways, my high speed photoshop-style image scripting program (for use on web servers) was easier to write in C# than trying to figure out how to make things work across every browser out there!
Anyways, programmer alert. I wouldn't depend on popups working in the future if your app depends on it. Make sure to use iFrames or have a non popup dependant way of doing the same thing!
Sunny
Be my Friend
Javascript (or more properly ECMAscript) is going to play more and more of a role in the web browsing experience, like it or not. Witness gmail. This sort of dynamic page refreshing can only be handled with the DOM and I think script-written content is going to spread as developers attempt to make web apps act like local apps, with an entire dynamic layer loaded into the client. This is scary, but good. The possibilities opened up by, say, XUL and PHP xmlrpc are just too tantalizing for developers to ignore. All that has to happen is that security models need to evolve with the technology as its underlying possibilities are exploited. The essential thing that needs to be preserved is the integrity of the namespace. But this is completely doable. Despare not and evolve!
grammar-lesson free since 1999. (rescinded - 2005)
The way you do that is to generate the target window name dynamically, when your main page is first brought up (and use a session-cookie on the client to keep track of what that name was).
Javascript is actually supposed to be able to do this... the fact that it can be "exploited" in this way is a consequence of people using predictable names for popup windows.
File under 'M' for 'Manic ranting'
I have a couple quick questions that hopefully someone with more knowledge and more info on this vulnerability could answer:
1) How, if combined with Phishing, could this be used to your advantage?
2) Would this give you ways to get around an SSL connection, i.e. having the hijacked window still connect the bank over SSL, but you can sniff the data passing back and forth through scripts?
3) Could the hijacked window be used in any way to impersonate the trusted site to do things like install malicious software?
Thanks in advance for any replies!
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d Capitalization really works: i helped my uncle jack off a horse
It only works on my Mozilla 1.7.3 if I use the "with pop-up blocker" link. Not so on the other one.
https sessions are encrypted, right? What happens if a third party tries to hijack an encrypted pop-up? Would it just come out as garbage?
If they can hijack encrypted windows, then it's a big problem. If they can't, it's no big deal. Anybody can intercept an unencrypted session; this exploit is just one more method to do so.
Having another window control popups is a feature of javascript (and html, via target=""), nothing new. They are just looking for hits.
javascript popup windows, in my experience of web application development, are analagous to dialog boxes in any other non-web based application.
letting people change settings/prefereces/what ever without having to make them refresh their main view into the application (unless the changes set in the dialog effect the current window state) is pretty nice - from both a usability and performance perspective.
in your model no matter what the user would have to load a new window to get to the preferences/settings screen, then reload the window they were already at.
using a popup window for the same functionality the user only has to load one window (the popup) then when they hit submit (or whatever) the action is executed on the server, the popup is automatically closed, and the user is presented with their initial window without having to wait for it to reload.
I have encountered many times where this type of behaviour is not only what the client wants, but what is also best for the client.
popups, as most casual web consumers have come to know them are not what popups were intended to be. But a metaphorical representation of a dialog box, imho, is.
I am using a pb g4 with 10.3.6. in Safari to try this and the sploit dosen't work against this machine.
411 Y0UR 8453 4R3 8310NG 70 U5!! -NSA
I personally do not want to see ANY entry tunnel I do not want to.
If you really want to open a pop up window, don't turn off the bloody URL bar and other assorted bits that help a user understand where they are.
It's incredibly sad that pretty much every bank I've ever used doesn't think I might like to know that I'm really talking to their server when I use their web interface.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
I just read the w3c page is it sure looks like the "target" attribute is still there. After all, how on earth could you target a frame with an anchor or a link without using the "target" attribute?
My system:
Slackware 10, Konqueror, and Mozilla 1.7.3.
Results with Konqueror: the popup did NOT point back at Secunia, it pointed at Citibank. Perhaps this is because I have Konqueror configured to open new windows in tabs and have "smart" popup blocking enabled. Would someone try and confirm this? If it is the issue, then we can block the vulnerability in Konqueror, at least.
In Mozilla, the popup trick worked. Bad Mozilla!
FYI
Farewell! It's been a fine buncha years!
Using Links here, and it's not working. Are you sure it is *all* browsers?
when it takes Slashdotters 5 minutes and other people's help to activate it...
Comment removed based on user account deletion
Just an interesting note - if I left click on secunia's test page, and secunia opens citibank in a new tab, the exploit works.
If I middleclick on the test page and *force* firefox to open the site in a new tab, the exploit fails.
I don't know enough to now if this is a limitation in the exploit or in how they've written the exploit, but it's odd and interesting
An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
On IE that code will make the browse lock-up after about 5 seconds , but it crashes with out bringing down the system.
Anything -- even an exploit -- working in all browsers would be unprecedented!
The fact that something working in all browsers amazes people is quite sad...wasn't that the point of STANDARD protocols and languages (TCP/IP, HTTP, HTML, etc)? It just proves how much damage Microsoft has done by extending everything it embraces with polluted, proprietary technology meant to create a captive audience. Only when EVERYTHING--including exploits--works on all browsers/platforms will we have "won the battle".
Anyways, it is alarming, but it doesn't look like an actual bug--it looks like a flaw in the design of Javascript (or the generally accepted behaviour). One more reason ot minimise or eliminate Javascript from your websites. At any rate, it appears aboutr as serious as any phishing scam (via email or web). Users already have to pay attention to the content of emails (asking for sensitive information, odd email headers, etc). Now they just have to do the same with web pages. I noticed right away that the status bar at the bottom of the spoofed pop-up window did not say citibank ("contacting secunia.com" or some such thing). Plus, right-clicking the window and viewing document properties showed the URL plain as day (on Firefox 1.0 anyways). At least I know now to look carefully for an odd URL (numerical address, citibank spelled c1t1bank, NOT https, etc).
The fact that the 'net is so risky for non-savvy users is also a testimony to the failures in design we must overcome.
Say, why is it that when IE has a bug in it, everyone hypes on Microsoft, but when there's a bug like this that affects all the open-source browsers, it's treated as business-as-usual and no one slanders them?
I follow Slashdot for its good coverage of IT news. But I get REALLY sick of hearing so much ill-founded bias against Microsoft and for open source. Open source is good, but Microsoft has its respectful place too.
Yeah also locks up firefox aswell, is JScript too powerful or something to be used safely ?
All browsers?
I think not!
-Bill
(And I didn't even mention telnet'ing to port 80!)
SlashSig Karma: Excellent (mostly affected by moderatio
So I wonder what's different between yours and mine. Does it require an open session to the net or something? (I'm behind NAT)
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
http://docs.info.apple.com/article.html?artnum=617 98/
"Safari
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1122
Impact: With multiple browser windows active Safari users could be mislead about which window activated a pop-up window.
Description: When multiple Safari windows are open, a carefully timed pop-up could mislead a user into thinking it was activated by a different site. In this update Safari now places a window that activates a pop-up in front of all other browser windows. Credit to Secunia Research for reporting this issue."
I tried to see if my FF 1.0 is affected and it worked fine, but then I remembered that I have Proximition proxy set up to filer everything I do not need on a web site. It also filters popup scripts thus blocking the exploit.
Two things:
Fine, javascript is entirely unnecessary. I'm sorry I mentioned it. Next thing you know, I'll go spouting off about XML. Time to bash my stupid head into the wall again.
You've got to think about accessability when making links, imagine Javascript turned off. Does it still work? Imagine using a screen reader, can it follow the link? The HREF should be a valid URL to the page you are trying to display, if Javascript is turned on, you override the behavior by attaching an event to the anchor in question.
This excellent article on ALA should answer any pending questions on the issue.
BTW, the target attribute of anchors was dropped between XHTML 1.1 Transitional and XHTML 1.1 Strict.
After all, how on earth could you target a frame with an anchor or a link without using the "target" attribute?
e t.dtd">
You would use an appropriate doctype for a framed page:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frames
Note: This doctype is not the same as the HTML Strict doctype
David
Sorry, this is incorrect. The target attibute for anchors still exists in the Frameset versions of the HTML 4.01 and XHTML 1.0 specifications. AN for better or worse, HTML 4.01 and XHTML 1.0 Transitional are still standards published by the W3C. Sure, people who want the absolute latest, newest, shiniest, flashiest, whiz-bangiest version can use XHTML 1.1 Strict (which gets you... er... ruby tags, and that's about it), but it's also currently impossible to build a site which follows the XHTML 1.1 spec and is usable in any version of Internet Explorer.
get it right
Sure, it could be done in the same page but then it's an argument about whether dialog windows are a good thing, and usability tests show that they are.
Needless use is bad, but that doesn't mean it's always bad, and please don't jump on this vulnerability to continue an anti-popup bandwagon. This is a security issue, and could have existed in any topic independant of popups.
Dunno if it's confined to the PPC/Mac OS 9 version of iCab -- I rather doubt it is -- but it definitely got hijacked on iCab 2.9.8 on Mac OS 9.2 on a beige G3.
(I woulda tested on the OS X box, but it's getting a new screen in Texas right now...)
p
In Korea, long hair is for old people!
I tried this 5 or 6 times with firefox 1.0 following the instructions exactly. I never once got the hijacked popup or even a 'popup blocked' message. Only the http://www.citibank.com/domain/spoof/learn.htm window.
Pop-up blocking and Javascript are enabled. The only non-standard thing is that I have the TBE extension loaded: all popups go to a new tab, and all javascript 'advanced' settings unchecked except 'change images'
Yeah, this is the first thing that came into my mind as I read slashdot in lynx, however, I wasn't able to log in to post. So, the tradeoff is there: being immune to some silly vulenerability, or having a completely functional browser. Take your pick..
Friends don't help friends install M$ junk.
By using standards-based design and manipulating the DOM via Javascript, we can accomplish anything. No need for clunky the "onclick" or even the outdated "target" attributes.
Great, I'll just remove all of the target attributes from my webpages once I figure out what that first sentence means.
Seriously, there's a good reason why web browsers still parse older HTML standards. It's because you shouldn't need to be a programmer to make one! Basically, they're just documents with hyperlinks, and sometimes that's enough. Okay, I understand why there are extensions for making fancier pages, but they aren't mandatory for a good reason. Popping up a new window so that a viewer can, say, compare two webpages side-by-side shouldn't require a professional.
It most certainly does affect Firefox.
OK, I've read through a bunch of Slashdot posts, and I've considered my experience with this thing, and here's my web developer's opinion of this "vulnerability":
;)
In Javascript, if (and only if) your web page opens a new window, it "owns" that window. In other words, you have access to the whole DOM in that window. You can step through the document object, alter things, and so forth. This is how things are supposed to work; it's what enables us to open new windows and interact with the user. For example, maybe you want to pop up a window, ask a couple of questions, get the results, and close the window. Something I did recently at work was code an informational popup this way, because we had to kind of shock the user a little, to prevent them from just clicking "OK" to close all the alerts we were sending them. We made the popup very pretty and noticeable. OK?
So, the guys at Secunia decided that was a vulnerability and they set up this little test to scare everybody. So...
IF you went to a crooked website, and IF you clicked a link to pop up a site like Citibanks FROM THE CROOKED WEBSITE, and IF you went about your business on Citibank's site and clicked their crooked CSS overlay or popup (or whatever, you can probably do it in a couple of ways) THEN and ONLY THEN would you be sent to a crooked popup window with which they could phish you.
In other words, in order to really make use of this, a phisher would have to:
1. Get his code onto an actual commercial website so that people would find it and unsuspectingly click a banking link;
2. Evade capture for long enough to collect a bunch of credit card numbers (or whatever), with the commercial site's security team coming after him with knives sharpened;
3. Avoid having the crooked popup's web URL or IP address traced back to him by the FBI or Interpol within a day or so;
4. Figure out a way around the bank (or whatever) putting a huge banner on their site saying in bright red flashing letters "DO NOT APPROACH THIS SITE VIA A WEB LINK! TYPE THE SITE ADDRESS IN YOU SCHMUCK!" (or just putting a parent.close(); line of code in their existing Javascript, plus some code to refresh the page from the bank's server, clearing out anything from the crooked site -- would this work? I haven't tested it yet -- but I'm sure there are other ways to do it and the bank's developers are smarter than phishers, generally).
BUT, even if the phisher DOES figure all this out, it won't do him any good, because
WHEN PEOPLE GO TO THEIR BANK'S WEBSITE, THEY USUALLY JUST TYPE IN THE URL OR USE A BOOKMARK!
So, in short, I think this is nothing much to worry about.
Discuss!
Farewell! It's been a fine buncha years!
the draggable DIV doesn't show up on top of certain HTML elements and hence becomes useless (even with an infinitely high z-index).
this is only true for internet explorer. for some reason microsoft saw fit to implement select menus as a "windowed control" (whatever that means) which completely ignores any z-indexing rules. if you're careful about how you use select widgets (i've heard flash plugins can cause this problem too- i've never felt inclined to mix flash and dhtml myself).
this is a problem i've been fighting with off and on for at least four years. thanks for the tip on iframes- not sure why i never thought to try that before. there are of course times when an iframe won't work- it is, for example, extremely difficultto work with the DOM inside an iframefrom outside of the iframe- but still this is a good trick to keep in mind.
If I don't put anything here, will anyone recognize me anymore?
FF automatically blocked the popup, and I tried both the with- & without-popup-blocker links.
Hail Eris, full of mischief...
E pluribus sanguinem
This is interesting, because the Netscape plugin API requires specification of a target when the plugin requests a URL from the browser. (Not coincidentally, URL-getting methods in Flash also require specifying a target.)
I think this is one of those cases where the W3C can kick and scream all they want, but entrenched technology (and zillions of pre-existing web pages) will still win.
I see no problems in a week old cvs build. Dispite trying both.
...checked, and it doesn't work. However, I figured out both why it didn't work, and a temporary fix.
I'll check the refresh issue above.
"Smart" Javascript (Config Konqueror->Java & Javascript->Javascript tab-> Open window policy: Smart) blocks it.
The reason (and why Smart really is smart) is it only allows new windows to be opened in response to a mouse click. (no OnLoad events or in this case I believe a refresh timer.) Thus the pop-up is NOT allowed to open. This also lets the vast majority of legitimate sites work properly. (I've only got 2 listed that it doesn't work with...)
Konqueror's SMART setting prevents it. Allow doesn't, Ask might (depends on user...). Deny also prevents it.
Mosaic v1.0 users are also reportedly not affected. Nevertheless, experts strongly encourage Mosaic users to upgrade anyways.
-- listen to interesting music, support independent radio... WPRB
I tried in IE, Mozilla, Firefox, and Netscape. Didn't work in a single one of them. And to be sure I tried both links in each browser. Either I have some patch(es) that others don't, or something's just broken and not 4 different browsers
http://shit.slashdot.org/article.pl?sid=04/12/09/0 053205
Do you have JavaScript turned off? If you do (and perhaps if you have certain JavaScript features turned off, which Firefox/Mozilla does let you do), then it can't possibly work.
Secunia is reported about a new vulnerability, which affects all browsers.
I tried with IE 6.0, Firefox 1.0 and Opera 7.54, using pop-up blocker. The exploit was successfull with IE and Firefox, but not with Opera!
Old news but unresolved ;(
only with firefox not IE, What-up?
Sig: BEEeeeP,,Please press pound, so I can get on with my fucking life!
Now I can sleep easier. :-)
I had the same "select z-index" problem with Mozilla 1.0. Haven't tried lately.
it doesn't seem to affect Lynx.
This is news only to the lazy southern inbred idiots
that prefer wal-mart over newegg.Build your own, learn how it works, quit screwing your relatives.
Also, don't right click on it to open the citibank website or it still won't work. It seems that with firefox you have to left click the citibank link.
that was probably a blanket spam (but you knew that).
There'd be no way they'd actually do it if they knew what GNOME was or how it worked.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Here's a vulnerability that works in ALL browsers.
Wrong. Try again.
I think there is an easy fix for this. Basically the exploit is based on the fact that you can use javascript to open a window with the target the same as another window and overwrite the other ones content.
Well, why not make a new rule in javascript that would disallow any javascript code to access any popups that aren't a direct child of the current instance of the browser.
Basically what i mean is to have each window in it's own namespace and have the child window share said namespace. (I think one would have to not allow grandparents to access it either though).
so basically if two seperate windows open a window with target="name" then 2 windows are opened one for each instance and they have nothing to do with each other.
proxy
Friends don't help friends install M$ junk.
Oh, so you have to enable javascript for this "hack" to work :) and even if, it may not work. Sorry guys@secunia, javascript is such luxury which I enable only purposedly on (pretty rare) occasions.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
..unless its a design flaw in a standard. It seems this exploit just abuses the 'power' of JavaScript.
Safari is reported not to be vulnerable in the proof-of-concept. Doesn't mean its not vulnerable at all.
WE DON'T NEED NO BLOG CONTROL.
This is why latest web standards are broken. These standards should be marked as being "in beta test" or maybe even "in alpha test". I'll stick with the versions that work securely. Being able to manipulate the DOM (see, the problem is there is one) via Javascript is why things are insecure. The standards need fixing. And it might not happen until the entire W3C is replaced by people who are more security conscious.
now we need to go OSS in diesel cars
"Looking the same in all browsers" is not an original goal of HTML.
XML causes global warming.
Netscape 4.77 (an old browser) is immune. Of course, one of the reasons is this browser came out before the W3C start doing so much of the nonsense with "web standards". I use "web standards"; I just use the last version that worked right, not the latest version which should be marked as "still in beta test".
now we need to go OSS in diesel cars
You make a great point, but since the open sores world thrives on the least common technical denominator (that is, they want the world to stand still so they can catch up), your point will be ignored.
The IBM Web Browser version of Mozilla doesn't seem to be vulnerable.
Does anyone else think that secunia's proof of concept looks like an attempt of /.-ing the CitiBank web portal?
Serban
Like many others, it didn't work for me on Firefox. It did work on IE. Perhaps Secunia needed to detail more on the browsers setting. Even though I had a pop up blocker on IE, it still worked. It didn't for Firefox I think because I have Extensions installed. One of the Extensions may have changed a setting that the exploit needs.
Well, there's spam egg sausage and spam, that's not got much spam in it.
I have it on, but I have the "hide status bar" and "change status bar text" stuff turned off. But that wouldn't seem relevant....
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
Any time the Ivory W3C Tower thinks it can remove a feature, it's pretty much doomed for failure. Web browsers are going to support and until the end of time.
Everytime there's an exploit in a relatively secure piece of software, some dork like cyranoVR is going to jump up and act like there's no difference between any software. At least that's what he seems to be implying.
Cyrano, why don't you suggest something positive? Dillo, which does not use scripting, and Konqueror 3.3.1 do not have this problem. If you love M$ and Winblows, why don't you tell people to avoid visiting their bank's pathetic javascript based, no-security, hacker owned website, while browsing porn? Oh, because some other exploit will get them? Or will the malicious site simply run a zero sized window, like Windoze lets them? As you say, Hmmmm.
Are telling me that I should move from one of the fine free web browsers available to some piece of crap like IE? It's hard to tell, because all you have done is whine about Slashdot readers. Of course that's all you can do because reality gets in the way of anything you might say directly.
Many is not all and the free browsers get fixed, so moving to a free browser on a free OS is a good idea. Users of non free software are indeed sick and tired of their computers not working. With all the holes in them, that's no surprise at all.
Friends don't help friends install M$ junk.
Links is much better.
*BZZZRT* Sorry. You're wrong. Removal of the "target" attribute would break frames, which is still HTML 4. Even on the page you linked to "target" is still listed as a valid attributed. Blockquoth the page:
Following the "target" link to the "frames" section, you'll find a link to recognized HTML link targets in HTML 4
Even the current draft of XHTML 2.0 doesn't remove the "target" attributed. It doesn't place any restrictions on the attribute, but rather passes that duty to the environment the link was in. For instance, XFRAMES. XFRAMES does not specify "_blank", or any frame id for the matter. It does state that, "If no matching id is found, then the targetted resource is processed in an entirely new environment (for instance, a visual browser might open a new window)." So just as long as you don't specify a frame id as "_blank", "_blank" will work exactly as expected.
"Firefox has prevented this site from opening 1632 pop-up windows. Click here for options..."
...And now 2000... persistent little bugger...
And this is a version of Firefox I installed approximately two weeks ago.
The Penguin Producer
There is more to the web than formatted content. Dynamic websites have been a must to attract hits since 1998. Facts of life, deal with it.
Client side scripting = dynamic content? I'm sure that's very illuminating to the PHP or Cold Fusion programmers in attendance. And you are actually invoking chronological technophilia in that stunning technical analysis. The irony makes my eyes bleed. You must be a technology columnist.
Next time you go tell someone to get with it, you might want to be sure what "it" is, not to mention what century you're in.
Hmmm, FF is vulnerable, but IE6 running on CxOffice isn't.
Oh well, what the hell...
1. 'target' is certainly part of standard html.
http://www.w3.org/TR/html4/present/frames.html#ad
Just because it isn't defined initially by the A tag doesn't mean the A tag can't use it.
2. From http://www.w3.org/TR/html4/types.html#type-frame-
PS. Hey mods, if you don't know about a subject, don't mark a post 'informative' just because there's a link in it.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
AdMuncher is one of those random 3rd party popupblockers (and many other features) piece of software...
this vuln doesnt work with admuncher running
but the vuln works without it running...
so no worries for me!
http://www.admuncher.com/
"an eye for an eye only makes the whole world blind"
Idiot..
Opera 7.60 P3 on Linux and Konqueror 3.3.1 on Linux do not display the symptoms of this New Vulnerability Does this mean that they are not part of All Browsers?
Incidentally, this IE/Moz-only exploit does make Opera's page-loading usually-hidden yellow bar thing sort of slightly go crazy before you click the "Consumer Alert" image, but it amounts to an extremely minor annoyance at most.
For some reason, I'm really pissed off that this topic's creator only checks IE and Mozilla to determine that an exploit is universal. I'm smooth enough to let snubs at lynx, links, elinks, Eudora Web, Blazer and Pocket Internet Explorer (for these browsers, though in current use, likely do not show the exploit) go, due to the nature of those particular browsers, but Konqueror and Opera -- my two most commonly run browsers -- are at least as full-featured as IE and arguably so against Mozilla.
--
-JC
http://www.jc-news.com/parse.cgi?coding/main
http://www.jc-news.com/coding/freedom/
Blech, doesn't work with the links text browser. Windoze users have all the fun...
Oh well, what the hell...
I didn't work for me with firefox....of course I have tabbrowser extensions installed.
I even disabled the popup block in ff, nothing.
I can get opera and IE to do it but not ff.
I tested this, first while reading comments in /. The comments were opened in a new tab. When a tab is opened using "Open this linux in a new tab" this will not work. But when I exited FF and pasted this url in address bar, this worked perfectly :(
raj
Sarovar.org Hosting for open source projects in Indi
target is gone in xhtml 1.0 strict
Opera 7.60 Preview 4 is unaffected. However, the dialog saying there is a popup is going nuts... memory usage is rock solid at 34megs and its not moving up or down so its not causing any problems.
As some others have stated, this is actually the intended behavior being demonstrated (and I guess it's technically a "vulnerability"). Semantics aside, just how dumb does someone have to be to happen to be at a malicious site at the same time that s/he opens up some very trusted application over the Internet? I generally don't trust any pop-up from any site, and for super-important things, I always close the browser first, start fresh, then close the browser when I'm done.
I have no Problem in Firefox 1! i Tryed both (pop-up and non-pop-up)
*BZZZZZZT*
XHTML1.1/Strict does not have the target attribute, though. (Download the DTDs and grep for "target", it's not there)
XFRAMES must be something new. I've read that they were going to completely remove the target attribute from (X)HTML as you can create "frame"-effects with CSS and "position: fixed".
Ah well, I'll continue to use my non-existant-target removing javascript parsing popup-rewriting proxy (onclick -> proper href) (NETRJPP).
(Yes I am completely aware of the fact that "position: fixed" does not work in IE, and that using it results in very slow scrolling in Firefox. Thank you very much.)
Vulnerable if not using popup blocker. Not vulnerable if using it.
Konqueror 3.3
I click on the link and get Citibank
is that so bad?
The meat is there:
"...a href="http://www.citibank.com/" target="citibank" onclick="begin();..."
The begin function does malicious stuff. So - the malicious site needs to attract you to click on this link and then forsee what you could do on the target site and then spoof the target popup window.
Happens a lot that you go from a malicious site directly to your bank with a link from there and then a popup window asks you for your password - right?
Btw. Citibank has throw away (1-use) CC numbers; not a bad idea.
You have a Pollyanna view of the world. People _are_ going to follow malicious links to trusted sites. They'll see the link in an email, it will be wrapped in some convincing text, and we're off the the races.
There is no getting away from the fact that there is a namespace bug here. The offsite link should run in a separate namespace. You appear to be arguing in favor of leaving this obvious brokenness the way it is.
When all you have is a hammer, every problem starts to look like a thumb.
Neither of my banks opens any browser windows.
All browsers? Can someone tell me how to get this to work on Lynx?
LedgerSMB: Open source Accounting/ERP
Seriously, a 'vulnerability' in the 'oh shit!' sense of the phrase is "an opening by which an innocent user could get fscked by no fault of their own".
This strikes me as about as dangerous as the post-SP2 "Warning! If you copy and paste shit files from the net and click a few boxes, YOU COULD GET SPYWARE!".
For the record, I just nuked and reinstalled XP-Sp2 + hotfixes a few days ago (for once, not because it was fucked up, but my new raid0 array), so I have cherry IE6 and unextensioned-FireFox 1.
I tried several variations of the convoluted instructions, and could get no explicitly dangerous behavior. Mozilla didn't bat an eye, and IE once popped up a box saying "The script is trying to close this window, do you want to let it?" If I let it, then it opened the Citibank site in the window again.
Oooh, scary.
I'm sure there may be some actual, dangerous vulnerability here somewhere. But I've gotten better instructions from the japanese ASUS site, translated through google.
If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
At least *something's* got a chance at becoming a standard in the world of web design, right?
SNACKS ARE AWESOME
I hope the IRS never finds out -- the Government might actually try and come after you! ;)
SNACKS ARE AWESOME
I don't think this vulnerability is eliminated by using popup blocking. I tested Firefox 1.0 (OS X) with popups disabled, and it was vulnerable.
Time to break out the zombie repellant.
SNACKS ARE AWESOME
Sure HTML 4 is a standard, but it's extremely loose and does not generally produce good markup. On the other hand, there is some great sites written with the XHTML standard in mind, but because old habits are hard to break, you see them sticking with the HTML 4 DOCTYPE. A good example of this would be ESPN (espn.com), Yahoo and Netflix (netflix.com).
Meeting the XHTML Transitional standard is a great thing to do, and if you cannot break away from attributes such as "target", "border", "name", etc.. Then stick with Transitional. There are really just some minor differences between the Transitional and Strict standard, but I still think that those differences are important and make sense from an accessibility point of view.
I have no idea what sites you would deem "real-world" enough to prove to you anything, but Wired Magazine (wired.com) has been standards-compliant for a long time. Red Hat (redhat.com) has recently switch to XHTML layout that looks great. The widely used Blogspot (blogspot.com) is fully XHTML 1.1 Strict compliant.
Show me a "real-world" site that does XHTML 1.1 correctly.
Are you trying to imply that the thousands of XHTML Strict websites out there produced by web/graphic designers, web developers, bloggers, and those who are supporting the standards are doing something wrong? I've never heard such skepticism before over web standards. I suppose you wouldn't have that position if you had a disability which hindered your ability to use a computer, like maybe not being able to move a mouse?
I tried it using IE and Firefox.
Firefox 1.0 quietly submitted to the hijacking of its browser window.
Internet Explorer (under XP sp2) also submitted, but as soon as I opened the citibank page, it started making a lot of loud popup killing sounds.
Apparently, the exploit works by continually trying to place its html into the new popup window.
Man that's scary. You don't even have to fall for a phishing email to get caught by this one... and Firefox (at least in my case) seemed more vulnerable than IE, simply because it was so quiet.
ph33r the power of Arachne, bioatch!
I use Safari with PithHelmet and the Secunia page is blocked.
With PithHelmet off and Popup blocking off, I still don't see the Secunia page in Safari.
In iCab, the exploit appears.
- Zav - Imagine a Beowulf cluster of insensitive clods...
No problems. Secuna's site lists an older version of Opera as vulnerable (ver. 7.54)
My gallery: www.estiasis.com/modules.php?name=gallery2&g2_ite
I use winxp with service pack2. On IE with popup blocking enabled it opened to the citibank site and then started a "pop has been blocked" loop on the original window. It was sort of annoying how it kept looping but suffice to say the vulnerability didn't work.
On Netscape 7.1 with popblocking enabled, it opened the citibank site and nothing else happened.
so it seems the vulnerability doesn't work if you have popblocking enabled
did you forget to take your meds?
I just ran the test with Konqueror in SuSE Linux 9.2 based on KDE 3.3.0 and the problem does not exist.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
Is it a namespace bug? What if I have one web server that accesses stuff on another web server? So I have my one site, site A, which has one set of content. And I have another site, site B, which has another set of content and passes some info back to site A.
Currently, from site A I can open a window to site B, do a little something, get some data back, and continue with more stuff on site A.
It amounts to a question of business requirements.
If this scenario is something you want to disallow completely, then fine, strip this capability out of Javascript. Have the Javascript system check the origin of each window to make sure they're all on the same site.
But make sure nobody is using the feature, because if they are, they'll veto your change. And I think this IS being used, like for example banner ads which open up windows to other sites (but which probably get some data back from the new window and log it, or do something else).
Now what? Of course, even if you figure out you don't want to do this, what are you going to key on to figure out whether sites are on the same server? DNS address? What about load balancing, where different requests go to different servers? OK, what about trying to figure things out from the URL? That can be spoofed too. Maybe you don't think there should be ANY popup windows. But I think the people who built the browsers would disagree, because they built the capability in.
It's more complicated than "the offsite link should run in a separate namespace". Any change would involve serious trade-offs, and you will never get any consensus on the issue.
By the way, as I've said elsewhere, if they can get you to click an email link, they don't NEED all this popup magic. All they have to do is show you a spoof site. And that's not just easier, it's more reliable, too. The popup thing is dependent on too many factors. A spoof site just has to look real.
Farewell! It's been a fine buncha years!
Let's see how long it'll take for each browser to get a fix for this... my estimation, by tomorrow Firefox will have a fix. My estimation is that by, oh... possibly sp3 or loghorn (or possibly never) IE will have a fix for this.
I'm not anti-microsoft. I'm anti-bullshit. Which means I'm anti-microsoft.
Doesn't work with Konqueror 3.3.1
if, instead of using <a href="#" onclick="foo"> [...]
This is really wrong coding. <a href="#"> means "jump to the top of the page". My browser (Firefox) does this correct, jumping to the top of the page each time I click on such a link. Why do people think that href="#" has no meaning? If you want a link that does nothing with it's href attribute, use something like href="javascript:;".
I tried executing the exploit using Lynx 2.8.5 and I couldn't get the damn thing to work either!
Oh god if only I had more mod points to give. This is in fact the only reason that I don't use firefox. IE has javascript whitelisting. Firefox does not. I will never use a browser that does not support javascript whitelisting precisely because javascript is so easy to abuse and because it is almost never necessary.
I don't purchase from sites that use javascript if there are any other sites around that don't. Many all javascript web sites I just completely skip over unless I have a very compelling reason to whitelist them.
I'd like to spend some quality time with these javascript only web developers in a small room with a baseball bat.
Quite an experience to live in fear, isn't it? That's what it is to be a slave.
Not unpossible, just crumulent.
This is news? This trick has been known for about 6 years! It's just a HTML trick you can use to change/close the popup window you get on an account with a free webspace provider. This exact same trick was used on members' Geocities pages way back when it was still possible. How come all of a sudden this has become newsworthy?
I don't see how it can be dangerous either. How would a malicious site know which popups are present from a completely different trusted domain, or if the trusted site is open at all, with the popup opened?
Humbug!
"Exactly what justification do you have for thinking I still need to view your entry tunnel?"
"Exactly what justification do you have for thinking I don't still need to view your entry tunnel?"
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Heres the page that comes up in the popup instead of the actual one http://secunia.com/resultpage/
If some sites 'need' to span hosts then they should lobby/propose a sensible solution to their problem, not expect insecure behaviour by default.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Javascript is the work of the devil. Leave it off unless you have a damn good reason to turn it on. Why give anyone that much control over your computer just to surf the web?
For firefox or opera just turn it on when you absolutely need it and never forget to turn it off right away when you are done. For IE make use of the security zones to implement javascript whitelisting. That's what I do because with firefox and opera I often don't remember to turn it off again until I start getting annoying popups or worse.
Seems like more than half of these vulnerabilities that keep popping up make use of javascript. That last one with the online banking passwords was pretty scary and made me very glad that I browse with javascript off.
Quite an experience to live in fear, isn't it? That's what it is to be a slave.
feel sorry for citybank's webserver?
Ignorance kills, complacency kills, hatred kills, but usually not the ones guilty of them.
Rumor has it, patches to support this exploit in Lynx will be available by the end of the week. ;)
Alert!: Unsupported URL scheme!
Now, from where did the "affects all browsers" come? Not the Secunia site, AFAICT, did the slashdot editors add that one? Things are really going downwards if even people on slashdot don't know that there are other browsers than IE and Netscape.
I click on the popup blocker link, and it tells me I don't have a popup blocker and to use the other link. First problem - I do have a popup blocker enabled.
Then when I get the page opened and click on the image link, I get the citibank spoof warning page, not the secunia page.
A quick fix for FireFox 1.0:
-In the "Tools" menu open "Options..."
-Click on the "Web Features" pane
-Then click the "Advanced..." button
-In the "Advaced JavaScript Options window that opens up deselect "Raise lower windows"
This seems to stop this specific exploit without disabling all JavaScripts, with and without pop-up blocking.
I am not sure how useful this is amongst the tech crowd, but it could save your artist wife, novelist husband, or fifth grader (who is oddly online banking) from giving out account info.
It didn't seem to work under Lynx... I don't really use that browser, but I'm just saying it doesn't affect ALL browsers.
No, links sucks big time. At least it did when I tried it. Ignored terminfo completely, and sent a combination of VT100 and ANSI escape codes to the terminal, which of course understood neither VT100 nor ANSI escape codes. Hey guys, this is why terminfo was invented in the first place.
At least Lynx *works*
Are you trying to imply that the thousands of XHTML Strict websites out there produced by web/graphic designers, web developers, bloggers, and those who are supporting the standards are doing something wrong?
No, he is trying to imply that "real world" means commercial sites made with Frontpage or DreamWeaver by some point'n'drool moron who thinks the "e" icon is the "enternet".
That's what he said.
But it's not gone in the newest version of the XHTML standard, XHTML 1.0 transitional and frameset have it, where as HTML 4.01 strict does not.
So they are all vulnerable?
Let the race to see who fixes first begin. Any bets on who fixes it first?
No, they are not all vulnerable. IE is vulnerable. IE is closed. Netscape and it's variants are vulnerable. Netscape used to be closed, but is now open. Notice that opening the code does not in itself fix any bugs, it just allows them to be fixed once found. So, now the bug was found, and needs to be fixed.
Lynx is not vulnerable. Lynx is open source. Links is not vulnerable. Links is open source.
Ummm...
This is no news to me. I've known about it for quite some time.
I thought it was already known, since it seems I'm always the last to find out about anything.
me. --a by-product of public education
Exactly what justification do you have for thinking I still need to view your entry tunnel?
Five billion porn sites can't be wrong?
A month or two ago smile.co.uk swapepd their system from using a popup to using the current browser window. Thbey have won numerous awards for security (not to mention customer service) in the UK. They told customers this change was to ensure greater security. Looks like they are one step ahead of such vulnerabilities again, unlike citibank or many others.
just another reason to switch to http://www.smile.co.uk/
I dont work there, just a very happy customer.
DRM-free indie games for the PC and Mac: Positech Games
Hmmm. But if you *do* right-click and open the Citibank link in a tab, the exploit *doesn't* work. So, what does Firefox do differently when opening a new window as opposed to a new tab???
Yup. Check out Ian Hickson's "Sending XHTML as text/html Considered Harmful" for a quick primer on what most sites that do XHTML are doing wrong. Check out Evan Goer's list of "X-Philes" for a list of the very few sites which get it right, and his purge of sites from that list for an indication of how easy it is to go wrong even after you've initially gotten it right.
As for HTML generally not producing good markup and being "too loose", I hate to break it to you but XHTML 1.0 and HTML 4.01 are element-for-element identical; the only difference between the two is that one is an SGML application and one is an XML application. And when you serve XHTML 1.0 as "text/html" (e.g., when you do XHTML the way ESPN and others do) you don't gain any of the strictness benefits of XML. And the only thing XHTML 1.1 does on top of that is deprecate a couple more things and add modularization and ruby support, so I'm really not sure where all the "good markup" would come from in a transition to XHTML. Plus there's no reason to believe that serving XHTML 1.1 as "text/html" is conformant, so if you use 1.1 you either break the spec or you shut out IE. Likewise, switching to an XHTML DOCTYPE and using XML syntax doesn't magically confer accessibility on a page; it's just as easy to write a horrid, bloated, table-based images-for-everything page in XHTML as it is in HTML 4.01.
I suspect that you're making a common mistake among people who've just discovered web standards: you're confusing XHTML with good markup and best practices (check out Molly Holzschlag on what standards are and aren't). Anyway, it's quite possible to write beautiful, clean, accessible, semantically rich HTML 4.01 with separation of content from presentation; after all, it's got the same set of tags and attributes as XHTML 1.0, so if you can do it in one you can do it in the other just as easily. And when you consider that serving valid, well-formed XHTML according to the spec can be a nightmare at times, it's no surprise that even "gurus" of the standards world (e.g., Mark Pilgrim, Anne van Kesteren) have gone back to or recommended sticking with HTML 4.01 unless you really need one of the features gained by an XML-based HTML.
And lest you continue to think I'm some sort of skeptic or enemey of web standards, well, every site I've built in the past three years (basically, since I discovered there was such a thing as a "web standard") has been valid, accessible, and CSS-based. I just know from experience that valid markup and stylesheets are one part of the equation, and there are an awful lot of those "best practices" that aren't ever published in a spec from the W3C or anyone else.
"Features" provided by Javascript fall into a very few categories, so far as I can tell:
- Client-side verification
- Eye-Candy
- Replacing standard HTML functionality
Essentially, the categories are "Don't Do", "Don't need", and "Redundant".This includes validating that all the fields in a form are filled in, as well as checking that the user entered the correct password. Naturally, this is the silliest reason to require Javascript, as the validation step still has to be done on the server side anyway, making the client-side validation a redundant convenience at best, and an addle-brained sign of utter incompetence at worst.
This includes dynamic "feedback", drop-down menus, etc. None of this is what you can call "essential", even if it's very nice and garners rave reviews from the average user.
This includes opening new windows/tabs, following links, submitting forms, and suchlike. This is perhaps the most aggravating reason to require javascript, as it artifically narrows the potential user community of the website.
However, I think it's almost a lost cause.
I think the only way we're going to convince webmasters to think twice about Javascript is to build a runtime debugger/replacement tool into the Javascript VMs in our browsers. Let the user specify wholesale replacement of javascript fragments (e.g. remove the open-window-in-a-popup portion of a tag and replace it with a good old-fashioned anchor tag) and changing of values in the running script (e.g. let's just change that discount from 5% to 95%).
It's my computer after all, and I should get a say in what programs run on my computer, no?
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
The "target" attribute still exists in the Transitional and Frameset versions of HTML 4.01 and XHTML 1.0. XHTML 1.1 does not have a Transitional or a Frameset version; however, it is a modularization of XHTML which means that the same functionality can be easily re-introduced. For example, Jacques Distler has produced a page using the "target" attribute which is valid against an extended XHTML 1.1 DTD. This is one of the major selling points of XML-based markup and having true XML parsers as clients.
pho-zz
because, off the top of my head : Dillo, Mothra, Lynx, Charon are all safe
there must be numerous other non-mainstream browsers safe
sheesh, lets whip everybody up with ridiculous claims
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
read his links
I tested this on both Firefox 1.0PR and IE 6.0.2900 running on Windows XP SP2 - neither one exhibited the vulnerability.
-- Ed Carp, N7EKG erc@pobox.com PGP KeyID: 0x0BD32C9B What I'm up to: http://intuitives.mine.nu
That's "cromulent." As in, "embiggen is a perfectly cromulent word."
I've never had a pop up window appear while using Firefox, but just now, I got one at this site, check it out, perhaps they are using this latest exploit?
Japanese researchers 'tap' mushrooms for rubber
...it's a feature. WOW, I never though I would say that and really mean it!
...or is it?
I feel like I'm in a Sliders episode. This is just not MY reality.
Life is not for the lazy.
Or even octopuses. Not "octopii." Use a freaking dictionary. I wish the plural is two i's meme would just diie.
This "bug" only works because the pop-up window's name is known. To put a "fix" in to the browser would be very difficult without breaking standards - at the moment any Javascript can reference any open browser window AFAIK.
The people who can't replicate in one or the other browser, are probably not reading the instructions on Secunia's page carefully. Or they are using non-standard settings in their browser.
The issue is real, but not very likely to hit you. But combined with phishing mails it might fool some people.
Firefox is marketed to the general public mostly on security, and issues like this make sure it will not reach it goals if it doesn't emphasize its other strengths as well.
If you don't like having choices made for you, you should start making your own. - Neal Stephenson
As far as I understand the issue, this same exploit is more a blind spot in the HTML / Javascript model that a browser issue. The same kind of trick could be used with frames which bear a "name" too: has it been alreday dealt with? Is a website allowed to load a page in a frame that has been provided by another site, provided it guess the correct name of that frame?
- if "yes", then there is a vulnerability with frames and iframes too, using the same trick, and popup blocking will not solve it.
- if "no" -for instance if frames and iframes that are already dispayed can only be javascript-relaoaded by the same server or domain that had generated them in the first place- then lets proceed in the same way with popup windows. This has been suggested elsewhere in this discussion.
But the real solution lies with the sites developpers: if one wants to develop a truly secure site with popup or frames, one has to produce unpredictable names for any "target" and urls by dynamically generating random frame names and maintaining them throughout the user's session, and use SSL to transmit the whole thing.
Quite a pain for web developpers isn't it? The other way to do it is to avoid complicated things like frames and popups so that there can be no doubts about the page origin. A least not in Firefox...
I am not Remy Mouton, unfortunately: http://remy.mouton.free.fr/art/
Konqueror 3.3.1 is vulnerable if Global JavaScript Policies - Open New Windows is set to Allow and you use the no popup blocker link. With Open New Windows set to Smart neither link will work.
Sorry if my typing is terrible. I can't feel my finger tips as they are covered in super glue. I just finished my landscape architecture final project.
Question is, why do you need to force a link to be opened in a new window in the first place?
The user should decide for herself whether she wants the link to open in a new window or tab. Every browser I ever used allows you to open a link in a new window/tab (except lynx maybe). And then there's still the Back button.
has no problems with this. the exploit didn't do a thing, the citibank window appeared like it was supposed to
You are wrong. No, I am not going to repeat the bullshit everyone else is spouting about the target attribute still existing in the Frameset version. Frames are evil and stupid and a remnant from the Jurassic era.
The correct answer is that the website should not be trying to control how the user traverses links! It is the job of the web client to allow the user to choose the same window, a new window, a new tab, or download for a link. I have very specific ideas about how I want things to open and the fastest way to piss me off is to override my commands and open a new window. Don't do it.
Now I'll go back to resisting the urge to kiss my Mac. :^)
--Rick "If it isn't broken, take it apart and find out why."
Dude, when was the last time I saw blinking text? *thinking* Nope, drawing a blank.
Maxathon is a wrapper round IE which provides tabbed browsing - plus a few security fixes. When I open up the secure site and click on the link AD Hunter blocks the popup so city bank works fine!
doesnt work
Since when does anyone trust links followed from a malicious web site? It's not a Side-by-side type thing, the link must be followed from the bad site.. which you dont do when you need to login/etc. And I dont belive you can use a redirect on the malicious site to the target, and still get it to work. Am I missing something? a brain maybe?
-AC
This is not that severe a vulnerability in Firefox if so many users are having so much difficulty in making the demonstration work... That's a complicated sequence of window opening to go through for it to work. What are the odds of many people accidentally doing that?
Especially when, once they've been using tabs for a while, most users automatically open new windows in a tab?
I expect there'll be a bugfix out in a day or three, now it's got this much publicity. I also expect only the latest version of IE to be fixed whenever SP3 comes out. One more reason for anyone using an old version of IE to switch to Firefox!
Just thinking...
. K
Some little JavaScript projects I have done:
- Tic-Tac-Toe - Responsive, looks good, has AI, works in a web browser. The alternatives would be CGI or Flash. I've played CGI tic-tac-toe and it is too slow. Flash seems like overkill
- Scientific Calculator - The bread and butter of Javascript, perform calculations in a web page. I tend to like this calculator better than the Windows calculator because of the free form text entry
- Currency Exchange Rate Conversion Calculator - Again the alternative is CGI but again it is slow. Plus, do you want to send your financial data (amounts you are converting) to some random website? This keeps all your data on the client side.
- At work we are working on page that shows new data as it is available. Sure you can refresh the page and see the latest, but a bit of javscript to pull new data off the server is both easier for most users and saves bandwidth because it can get just the stuff that is changed and put it into the page in the appropriate place.
I grant that javascript is often misused and I fully support your desire for a whitelist. Thankfully, there is a noscript tag so I can tell people like you exactly what you are missing and you will consider adding my page to your whitelist. But please don't beat me!On my box, running Mac OS X 10.3.6 with all the latest Software Updates, Safari (1.2.4 (v125.12)) is not affected. I did the Secunia test, and the popup window that opened when I clicked the link was a regular Citibank popup, not the predicted Secunia one.
According to the advisory, Safari 1.2.4 is affected, but to me it seems it's not.
Maybe it's because I have Pithhelmet (an ad filter) installed?
It does not work in Lynx.
;-)
Still the best webbrowser available
My Karma isn't excellent, damn it! (And
Like several people already said... The hijacking doesn't seem to work with firefox (both links didn't hijack me at least, using v1.0) Either ways, with new threats, new ways to hijack browsers, works-arounds for popup windows and what not appear, all browsers might need patching.
///<sig
Seriously - when was the last time you heard of an exploit that used straight HTML? All of the recent exploits in ALL browsers, IE included, have been in either Javascript or Active-X, not in the core HTML rendering.
Actually, I remember recently seeing exploits in the image format engines for both Mozilla (See item number 6 in link) and IE.
Frontpage link at slashdot.org have been a must to attract hits since 1998...
javascript sucks and it should be disabled. If most boycot javascript, sites will stop using it.
... not affected period. I tried it four times, and even on my Mac with Safari AND Internet Explorer. Maybe the "affects all browsers" means "affects all browsers other than the ones not designed to run on Microsoft Products".
"Well you're not Fiona Apple, and if you're not Fionna Apple, I don't give a rat's ass."
Flash works cross-platform and cross-browser with minimal debugging/porting effort; JavaScript doesn't.
OTOH, that's not why people use Flash. They use it because the primary reason they have a web site is to shout "LOOK AT ME! I AM SO DAMN COOL!" at hapless users, rather than giving users what they actually want.
This can actually be quite handy sometimes.
http://www.lol.dk/tutorial.asp?id=awr
I just tried their test with Firefox 1.0. Nothing happened... this story is bull.
So your standards based position for javascript being a "proper" way to create windows is incorrect. And older HTML standards are still standards anyway.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
I can't get w3m to be exploited either.
phozz
"Don't try to control your user's behaviour if you don't need to."
...because this often makes him annoyed.
Extract from "The LotusNotes Single-user Software Deployment Guide".
One good turn - gets all the covers.
:( I better upgrade
The Firefox plugin SpoofStick works too, and may be a bit more elegant.
SpoofStick makes it easier to spot a spoofed website by prominently displaying only the most relevant domain information. It's not a comprehensive solution, but it's a good start.
http://www.corestreet.com/spoofstick/
Who needs blink when you can achieve the same thing in CSS :O
Totally agree. I have had major arguments about this and wrote a paper detailing why you should avoid Javascript like the plague, even on Intranets.
Where I have got my way, it has been found that the maintenance effort diminishes significantly. Even MS has JSscript differences, even for exactly the same IE build (major, minor) but on different platforms (gasp!).
If you don't keep a heavy handed grip on the use of browser scripting, you find function and scope creep. 'Cos, let's face it, a lot of developers are too lazy to discipline themselves and re-use script libraries. If the whole DOM was a proper object model with strong typing, namespace mangling, standard compiled scripts and the whole project build overhead thing, then perhaps browser embedded code might be useful (IMHO)...
Did he inhale?
Let's see you build something as responsive, usable and practical as GMail without using Javascript.
OK, let's try something easier. I've got a table with many rows where each row contains two sets of radio buttons. When one of the radio buttons in the first set is selected, you shouldn't select an answer in the second set. Thus, I use Javascript to disable the second set of radio buttons when that particular option is chosen. Care to tell me how to do that using regular HTML?
Once you've clicked the link to open the citibank site, go back and close the Secunia site window/tab.
:)
The exploit should not now work.
This is actually Secunia's advice for avoiding real usage of this exploit - do not browse trusted and untrusted sites at the same time.
There we go - tabbed browsing has its drawbacks
-- *~()____) This message will self-destruct in 5 seconds...
this is a dos, and it works
; p ezzo+pezzo+pezzo;z zo+pezzo+pezzo;
<script>
yyy="0123456789abcdefghijklmnop qrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
pezzo=yyy
while(1)
{
pezzo+=pezzo+pezzo+pezzo+pezzo+pezzo+pezzo+pezzo+
yyy+=pezzo+pezzo+pezzo+pezzo+pezzo+pezzo+pezzo+pe
}
</script>
In a shocking and ironic turn of events today, a browser hacker used the millions of geeks on the popular slashdot.org tech news website to iron out a few problems he was having making his exploit work in all browsers. The geeks, often referred to as slashdotter's (/. for short) lept into action and had the exploit working on every known browser within minutes causing the entire internet to implode only minutes later.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Disabled it, my firefox display the fake popup...
We do this for fun.
... tried on two separate installs of Firefox v1 and Windows XP, one with Tabbrowser Extensions and one without and neither were fooled and showed the correct page.
As a web application developer, this is one of those things that drives me nuts. So many sites abuse Javascript, that everyone turns it off. You can do some great stuff with Javascript (http://www.activewidgets.com/ makes a good example), but all everyone sees is the bad side.
Personally, I'd love to see site by site rules on whether Javascript can be used, like we do with cookes (also a great tool that's been horribly misused).
Doesn't do a thing on my Mozilla 1.4.1 on NT (yes, I'm at work). I don't have any fancy JS blocking (other than popups). Can anybody else confirm that Moz 1.4.1 is immune?
Mozilla 1.6, Kernel 2.4.21
By the perception of illusion, we experience reality
It looks like running through privoxy helps, it looks like I only see the vulnerability (in galeon, anyway) when privoxy is disabled.
I couldn't recreate it at least.
Translation: Turn off your computer.
lets all get security and start looking at turning out computers off.. but on the good side the more issues that are fixed the more secure things become.. I just feel sorry for all those people with 10->100meg+ downloads over a modem.. hrmm oh well the world wont be secure for at least another.... never..
Got a question about UNIX ask it here : Unix/xBSD Forum
They are working on per-site permissions for Javascript in the Multizilla extensions.
What I find comical about the responses to my post is how completely most of the nay-sayers missed the central thrust of the post, which was not "ALL JAVASCRIPT BAD", but " NEEDLESS Javascript bad" (it was even in the title of the post for cat's sake!) - as in, Javascript is a good tool and should be used WHERE APPROPRIATE, and not elsewhere, just as this post uses bold, italic, and all-caps where appropriate, but the whole stinking post isn't bold-italic-allcaps.
www.eFax.com are spammers
Look for the target attribute and the "L" flag in the 6th column of the attributes section of the HTML 4 spec. This means it is only allowed in the HTML 4 Loose DTD, not in the Strict DTD. The original poster was right, you are wrong.
Safari appears to be OK, as long as 'block pop-up Windows' is selected in preferences. ... So it is vulnerable by default, sadly.
This seems like something that website admins should be worrying about, not users and the Mozilla crew. (And all the other browser developers).
After all, what decent web developer would expect users to enter sensitive information into a popup window which has no address bar! Whenever you're asking for sensitive information you show the user what site they're on. (Surely?!)
how does it work? The first link goes to citibank.com, and the second (on the pic) apparetnly goes to /domain/redirect/cbna/abuse.htm ... whoops.. did citibank just fix it? I clicked it again to check the URL and it seems to be going to citibank now instead of the Secunia page.
Join the Slashcott! Feb 10 thru Feb 17!
At first, FF1.0 on XPPro didn't seem vulnerable. However, that was when I middle-clecked on the link to Citibank's page. (To open it in a new tab, as opposed to a new window.
When I clicked on the link "normally," i.e. with the left mouse button, the vulnerability showed up.
So it seems that FireFox's tabbed browsing capability has some security benefit.
tasks(723) drafts(105) languages(484) examples(29106)
If you follow the instructions, then the scam works
Whereas, if I left-click and open CitiBank a new window, I get the Secunia pop-up.
R3
Stuff that matters: circuitbreakers, vacuum-cleaners coffee makers, calculators generators, matching salt+pepper shakers
The exploit does not work at all in Firefox 1.0 so I don't know why everyone thinks it does.
OK, not to be smug here, but it didn't affect Safari 1.2.4 (v125.12) on OS X 10.3.6. At the end of the day, it would be nice to have a list of system- and browser combinations that are not affected, it makes for less sensational headings, but well, it would be the geeky thing to do, no?
"New Vulnerability Affects Not All Browsers" mmm, might need some work... What about:
"New Vulnerability Thwarted by FOSS and Apple Complot!!!"
I think, therefore I am...I think.
I just tried this on 5 different Mozilla machines here, all running various flavors of Linux, and it doesn't affect any of them.
Clicking on the link indicated pops up a Citibank window that explains how to avoid fraulent clicks.
Once again, Mozilla reigns supreme.
I guess it didnt work for maxthon...the popup blocker didnt block citibank's popup but did block all the others the Secunia was trying to open.
1. Find new browser hijack exploit
2. Find millions of unsuspecting users
3. ???
4. Profit!
My install of firefox with default settings in my debian install didn't get hijacked. Whatever....
even doing that it doesn't do it for me.
puts the name of the host at the top of all browser windows, url bar or no.
But if you have Tabbrowser extensions installed in FF and set to open all popups in new tabs it doesn't seem work, regardless of witch mouse button you use.
I turned off IE's popup blocking.
I use Popup Block 1.65 from Planetscott.pa (popupblock.net) and use it to shut off all scripting.
Using it along with Spyware Guard and Spyware Blaster have kept my pc clean as far as I can tell.
Here's a small enhancement I made for Firefox to make broken security sites more obvious (take out space in URL as Mozillazine blocks direct links from Slashdot):
2 88 49
http://forums.mozillazine.org/viewtopic.php?t=1
If you use Firefox, why not try it out and make an already secure browser even more secure?
Visceral Psyche Films
wrong... simply disabling javascript will block your DoS
And the people shall be oppressed, every one by another, and every one by his neighbour Isaiah 3:5
You're BOTH right. 'target' is allowed in 4.01 loose and _frameset_ (otherwise the frameset DTD would be kind of useless, eh?) but NOT in 4.01 _strict_. So, basically, you can use it if you a) rely on quirks mode b) use the loose DTD or c) use the frameset DTD.
Now, target isn't in the XHTML 1.1 DTD... so you're right back to the issue.
The real problem is that web browsers make horrible application platforms, so people open new windows without navigation, menu, and location controls.
It's kinda like antibiotics. If everyone uses it then the population as a whole becomes more vulnerable. (Okay, the mechanisms are slightly different.)
So many sites use -- no, require! -- javascript in order to be viewed properly, which causes a large body of users to have it enabled by default, making them vulnerable.
A particular site can say that they use javascript responsibly, it's the bad guys who cause problems.
But just forcing people to view their site with javascript enabled contributes to the problem.
In the least a site should be viewable with javascript turned off. It may just not have all the fancy features, but it should work. That is good design, but it may only become common practice if enough people can be convinced to turn javascript off, which unfortunately I don't see happening anytime soon. But exposing vulnerabilities like this will certainly help.
"Education is not the filling of a pail, but the lighting of a fire." -- William Butler Yeats
'target' was part of the standard HTML 4.0. It has been deprecated in XHTML 1.1. The reason for it is not to force you to use Javascript, it is an accessibility issue. The idea is to discourage the creation of new windows unless the user explicitly requests so (by right-clicking on the link rather than left-clicking for instance). The reason for this is to make sites more accessible to people with disabilities. Forcing the browser to open a new window tends to confuse people because they might not always be aware that this has happened, especially if they have some sort of disability. For more information on the problem, see http://diveintoaccessibility.org/
Schrodinger's cat is not dead.
"I assert that no essential behavior on a web-page requires Javascript -- it's ALL needless."
There you go. You've just shown your ignorance. For simple web pages I would agree, but this vulnerablility is for, and demonstrated in, a web application.
As other posters have pointed out, you cannot get some features of an application without using Javascript.
So, until the world starts using something like Webstart and downloadable, secure thick clients via the web, the browser is all that we have. Perhaps this vulnerability will be fixed at the browser level so that the needed use of Javascript can be made safer.
Can you provide an alternative that will allow these rich client features in a UI available over the web?
Come on, we're waiting...
'Insightful' my ass....
Never by hatred has hatred been appeased, only by kindness - the Buddha
Freaky... I don't have either of those disabled, but you're right, I can't see how that's related. Try it with those allowed maybe?...
which affects all browsers.
This doesnt effect Firefox v1.0
He specifically said html 4.01 strict, not html 4 transitional....
In strict, frames and target= are depricated
And the people shall be oppressed, every one by another, and every one by his neighbour Isaiah 3:5
How about Amaya?
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
Is this really a 'security vulnerability'?
I would define something like another person being able to access/write to your hard drive, or reading information from your browser cache, history, etc. as a vulnerability.
Getting redirected from some other link is hardly a browser vulnerability. The most secure way of going to your bank's site is by typing the url in manually, using a bookmark/favourite or copying and pasting the link so u know what you're going to. Don't follow some other link from someone else's pages - doesn't sound that difficult to follow.
It seems to me from my understanding of this "exploit" that Javascript isn't exactly the problem. Only the attacking website has to run Javascript. The website being attacked could be completely devoid of Javascript and still be vulnerable to this spoofing, as long as it opened a new window in some fashion, and as long as the attacking website can somehow discover the name of the new window that has been opened.
In fact, if I understand this thing correctly, even the attacking website could be devoid of Javascript and still work if the links are operated manually. You could use HTML and a target attribute if you wanted, it just wouldn't operate automatically. All the Javascript does is run a timer and automatically overwrite the contents of the pop-up window, hopefully before the victim notices what's going on.
All this is about is that one website can open a new window with name "foo" and if another website opens a new window named "foo" after that, the contents of the original window "foo" gets overwritten rather than a new, separate "foo" window being created. There is a namespace conflict, and it's definitely a security bug that should be fixed, but it doesn't really have anything to do with Javascript. One website simply shouldn't be allowed to overwrite the contents of a window that was opened by another website just because it used the same name for the window. That's bad.
A side issue here is that even if the browser behavior gets fixed and both websites can open a separate window named "foo" at the same time, we still won't necessarily be able to tell them apart if the contents and title are identical. So from the phishing standpoint it's still a bit of a problem. The attacker will still have a 50/50 chance of having the confused user pick the wrong window to enter sensitive data, probably thinking they had clicked the link twice or in some other way opened two copies of the window. Even if the address bar is always displayed, many people would never notice that the two windows had different URLs.
The web is really getting tough to use safely these days. Anyone who thinks they're too smart to be fooled by a phishing scam just hasn't met a slick enough phishing scam. Don't worry, they're coming.
Opera 7.50 appears to always load the correct popup if you select the preference "Block unwanted pop-ups"
Can anyone confirm this?
Grrrrr... don't bother me, I'm thinking.
opera 7.60 P4 (alpha or beta??) on linux isn't affected
Technically it's not forcing the link to be opened in a new window. The browser can do whatever it likes with the "target" attribute, including ignoring it.
Many sites put external links in a new window to reinforce the idea that you are leaving their website. Yes, these types of things are obvious to us, but to many people it is simply not as clear. There are other reasons why one might want something to open in a new window/tab. As a designer, I would rather have that option open to me. Of course, as I mentioned above, I have no guarantee that the user will actually follow my suggestion.
I followed the directions to the T I got a page that says learn about spoofs. I'm using Mandrake 9.2. No pop-up blocker. Konqueror 3.1.4. Running on KDE 3.1.3. I've always preferred Konqueror for browsing .
Client side validation is useful. One example is the transfer of a large amount of data over a slow link. Better to have the local client validate the information and not waste the time sending the data to the remote side only to be rejected.
Before you scream "there are no links that slow," please remember the internet is global and not everywhere has even a 56K connection. I currently work on a project where participants around the world (the majority in developing countries with poor internet access at best) enter data via a web form.
. there used to be a sig here.....
What if the pop-up has iFrames, and one or more of these gets hijacked? The location bar only displays the location of the main page, not the frames!
The link for browsers with pop-up blockers does not affect my pop-up blocking Firefox (and a window pops open saying that I have no pop-up blocking), but the other link does indeed spoof the window. I'm not worried about the problem though, because I don't engage in such unsecure behaviour. An easy fix would be for Firefox to allow us to selectively allow java/javascript on a per-site basis (just like pop-ups and ads (with adblock)).
Nothing to see here. Move along.
Client-side verification This includes validating that all the fields in a form are filled in, as well as checking that the user entered the correct password. Naturally, this is the silliest reason to require Javascript, as the validation step still has to be done on the server side anyway, making the client-side validation a redundant convenience at best, and an addle-brained sign of utter incompetence at worst.
Just what I want.. a user posting 300 times before realizing that, yes, they must fill out the form. Think about something like Yahoo mail. I can go into a new message and if I forget to put in a To:, it will still post to the server and come back and say that I'm a moron. With JS verification, I would know instantly.
Obviously client-side verification shouldn't be used for passwords, but checking that a form is at least completely filled out is very helpful, both as a designer and a web user. Client side verification is practically instant and does not burden the server with incomplete requests. Of course, client side verification does not exempt you from having to perform server side verification.
I had to jump through a gauntlet of hoops to be vulnerable. I was about to give up when I finally, after several frantic minutes of trying, configured my Konqueror (version 3.1.0) to see the hijacked page.
By default, I run with Java and Javascript turned off. My list of exceptions is very short. I also have Konqueror set for Smart popup blocking. This last setting was the key. I had to set Konqueror to Allow all popup windows before I was vulnerable.
This is a semi-sophisticated attack that exploits the complicated nature of modern web browsers. However, as we learned in Star Trek -grin-, the more complicated the plumbing, the easier it is to clog the drain.
Anyone using even a modicum of common sense has nothing to worry about with this vulnerability. This is most certainly a bug (either in the standard, or in the implementation), but I rate it as very low.
Well I guess this validates my paranoid behavior when visiting banking sites. I only open one browser window (and no tabs) when I go to a finance site, and I close that one instance and relaunch the browser before going to the next site.
Looks like this practice would pretty much isolate me from this issue. OTOH, I'm usually a bit more lax when visiting shopping sites (but not anymore!).
Safari 1.0.3 on 10.2.8 shows the correct site, but I was able to get the hijacked site to show up by closing the browser windows.
This fix works under 1.0 (Other versions not tested)
Install Tabbrowser extensions loacted here:
http://texturizer.net/firefox/extensions// [Texurizer.net]
Look for the "Tabbrowser Extensions" under "Tabs and Windows" (it's about 1/8 down the page) Other extensions may fix the problem as well.
Girmann
Nietzsche is dead. --God
The test pages says: "Use the first link if you have a pop-up blocker enabled, or the second link if you do not have a pop-up blocker enabled."
Using Firefox 1.0 with popup blocking enabled, I selected the first link and the test "worked." When I selected the second link, it didn't work.
Does "pop-up blocker enabled" mean an external third-party blocker?
In any event, this seems odd. A malicious highjacker could not know who did and did not have a popup blocker. Ergo, doesn't the "test" directing to two different links--one for with, one for without--sort of invalidate the whole thing?
Ignorance is curable, stupid is forever.
I assert that no essential behavior on a web-page requires Javascript -- it's ALL needless.
Nice troll. But as this is currently being moderated as "Insightful", I think a counter is needed:
1) Client-side verification: Yes, let's bombard our servers with thousands of needless requests as users try to transfer "$abc" to their bank accounts or try to login with no password. It is particularly important that we do this on our sites which get thousands of vistors every day.
2) Eye-Candy: Ahh...now we have gotten to the point where drop-down menus are needless in forms. And "eye-candy" is something to be dreaded like the plague. Let me guess: you are a big fan of Lynx?
3) Replacing standard HTML functionality: This "artificially narrows" the user community? I think this means that the extreme minority of paranoid browsers such as yourself are "narrowed". I would much rather have an application-like web interface that does what I expect in place of a 1998-ish block of square text that is ugly and painful as sin to use. I think the vast majority of users would agree.
Firefox is impervious... to the specific exploit you linked to. The security advantage of Firefox is that it has fewer exploits and they are generally quickly fixed.
This post written under Gentoo-linux with an SCO IP license.
Saw this about a month or possibly even two months ago. Same site, same test (more or less). At that time, they said it affected only browsers that had tabbed browsing enabled. Checked with Safari, vulnerable.
OSX Security Update of I dunno, a month ago fixed it.
Checked again, just to make sure. I always get the Citibank window, not the Security Site's one. In other words, not vulnerable.
I suppose a certain configuration could bring the vulnerability up, but I don't show the exploit and I'm on pretty much default config; java & javascript enabled, etc.
OSX 10.3.6/Safari 1.2.4
No, basically all it does is set up a javascript timer that checks every so often(150ms) for the existance of a window with a certain name. Citibank's website then opens a window with that name, the javascript timer says "Hey, there's a window with that name." and then sets the URL from Citibank's URL to Secunia's URL.
Very simple, hardly a vulnerability. The only reason this is considered a vulnerability is the potential to trick people.
How can a "Popup hijacker" affect Lynx or Links? Use a proper browser and you won't have so many problems!
It looks like some people are at risk and some are not. Reading through the comments people swear their browsers are not affected...
But I ran the tests, and here are my results:
Mac OSX 10.3.6
Safari 1.2.4 (v125.12) - Not affected according to test.
FireFox 1.0 (G4 optimized build) - Affected according to test
Camino 0.8.2+ - Affected according to test
All browsers have pop-up blocking enabled, and some sort of ad filtering (Pith Helmet, Ad Block, etc).
Your mileage WILL vary.
Actually it's obvious that there was no secured connection on that citibank page, so it seems unreasonable for an user to actually trust the content there.
I think this is not a vulnerability, it's actually a feature.
The solution is simple and old : use SSL and if the user does care about his security he will leave the default settings intact, so there will be an warning on the time oh hijacking.
Fixing the bug browserwise WILL lead to more problems in various web applications, xul, ect
BTW, can anyone tell me why citibank is ALWAYS the scammers' target?
I don't seem to be effected by this, the link at secura's website works exactly as it should no hijack!!
This is a rather disturbing trend; I.E. a security company not really providing any security. I feel like Chicken Little just informed me the sky is falling.
Again.
i don't remember ever seeing this behavior in mozilla, and i've been using div's to make "windows" off and on since about 0.9.2
not to say this didn't ever happen in mozilla, but if it did, it was a bug, and was fairly short-lived, as opposed to internet explorer, where it is a "feature" of their implementation which can't be changed.
If I don't put anything here, will anyone recognize me anymore?
Using the example from the site (Citibank), this vulnerability doesn't work in Safari.
He also fails to account for screen readers, which is also a form of browsing. Basically, the Web is not (just) a graphical medium.
I assert that no essential behavior on a web-page requires Javascript
Probably right, though many very convenient features do.
I've got a web-based online game. I've written it in pure HTML as far as possible, with CSS for layout so that it works even if CSS is disable.
Nevertheless, there are a few places where Javascript is very handy. I could probably find a way to do it without Javascript, but it would be much more work and hassle for me, less convenient for the user, and more error-prone.
Assorted stuff I do sometimes: Lemuria.org
the attacker needs the site to be exploited to exist in a CHILD WINDOW of the one running the script. therefor, the user must have entered the site to be exploited by clicking a link on the attacker's site.
That email I got about having extra security by making sure 1337hax0rz.ru was loaded in a separate window while using my bank's website was a lie? Maybe that is why my bank keeps asking me to give them my information again. How many times can they loose my account number and SSN?
SIGFAULT
In FireFox if you open the window in a new tab, create a new window manually and goto the url, type in the url manually, or go via a bookmark, your safe. In other words, very very unlikely this we'll see any wide scale usage of this bug.
I tried this with firefox. It doesn't work.
I had a problem with one of my web applications where a user could request a report that took up to a minute to generate. They'd inevitably get impatient and start click-click-clicking the "Submit" button which would eventually grind the server to a halt as it tried to render 20 reports simultaneously.
I solved this by creating a unique request ID tied to the user's login cookie (yes, I also use cookies, bad me!) and pointing the request form to an intermediate page that would load instantly, then set a meta-refresh to take the user to the real report generator. The request ID could only be used once, so if they got impatient and hit "reload" then they'd get an error message telling them (politely) not to do that again.
Worked great - except that IE (up through version 6) has some pretty tight limits on how long the destination URL in a meta-refresh can be and implements those limits by truncating the request. While we weren't exactly sending an encyclopedia in the GET request (just the usual "startdate=", "enddate=", "imagelist=1,2,3,4,5,6", "sortorder=lastname" stuff), our visitors using IE would get damaged results about 25% of the time.
My eventual workaround was to replace the meta-refresh with a Javascript "window.location.replace" call, and a plain ol' href tag for people with Javascript disabled (which is little better than the original situation - people still have a "clicky-link" that they can hit 20 times until they get a 500 error and call tech support).
Yes, I know all too well that IE is not standards-compliant, but I still have to provide full functionality to the majority of our visitors who use it. Because of its brokenness, there is no standard HTML way of accomplishing my goal. I have to use Javascript to get a working simulation of what should have worked in the first place.
Dewey, what part of this looks like authorities should be involved?
All they need to do is change the window.open function to reference to _new or _blank as the target instead of a hard coded name. Javascript is nice for disabling extra toolbars when your legitimately trying to display just a short blurb of text.
I never get affected by these crazy exploits!
Unfortunately there are developers out there that will do client-side verification, but not server-side. To compound the problem, the business users will have the client-side verification demonstrated to them but don't know to ask about the server-side validation. As far as they know everything's okay; everyone uses a GUI browser with Javascript and Active-X enabled, right? Eventually the original development team goes away and along comes a developer with a clue, who actually spends time reviewing the prior work. He discovers that none of the forms are really validating input and now must spend time correcting dozens of forms instead of working on new tasks. Welcome to my world. I've even seen people use Javascript to construct HTML pulldown lists, WTF?! I guess they don't know how to write a form handler that supports both GET and POST requests?
I won't even get into the mess the prior team created on the Solaris and Oracle servers...
Notice how some anti-Linux fanatics jump to the attack on the mere presumption of guilt?
This exploit didn't work against my FireFox 1.0 updated, running on a W2K box. Undaunted, I went to my FC2 box, setting next to the W2K, and ran FireFox 1.0 there. Nada. Nothing. Just the CitiBank popup. (Don't be presumptive and assume that if I didn't provoke the exploit I did something wrong. Did it ever occure to you that the Secunia folks may have assumed too much, or missed something? Like.... everyone runs with Javascript enabled? Eh?)
So, stop genuflecting before the Throne of Gates and open your eyes. Did you, for example, compare the putative exploits for IE, FireFox, Mozilla, Konqueror, and the other browsers? Did you notice the 77 exploits for IE on a fully patched XP? How does that compare against the other browsers? Do you understand the difference between the way Open Source reports vulnerabilities and the way Microsoft does it? Refresher: Open Source reports them when they are discovered, giving consumers a chance to take protective action. Open Source usually returns patches within days, sometimes within hours. On the other hand, Microsoft lets the consumer twist in the wind of adversity until they announce both the vulnerability and the patch ON THE SAME DAY, usually months AFTER the vulnerability was found. AND, sometimes they don't announce a vulnerability at all, because they don't plan to fix it, or they claim it is fixed in the upgrade ($$$).
My guess would be a namespace difference. Or perhaps memoryspace.
LOLOLOLOL!!!! ok, THEN i go and try to conduct secure transactions like banking and whatnot...
ya riiiiiiight.
This should be interesting.
I predict firefox will get the patch out first, but the next question is how long until everyone in your org is patched?
With IE, I can push 2-3 buttons and everyone will be patched within a day.
With firefox.....
I tried it with both IE and Firefox. On both the non pop up block version went to the bank site and on both the warning came up for the pop-up blocker site. IE it came up in a pop up and Firefox came up in the main browser window. I have no pop-up blocking for IE and Firefox has pop-up blocking turned on. I am dubious about this test in general.
Lynx, Konq (which is khtml which is safari)
thank God the internet isn't a human right.
With Java and Javascript (as well as cookies), disabled. I use Firefox if I need the increased functionality, for specific websites (like Slashdot).
So this is another vulnerability that is shot down, solely by my attitude toward security.
Linux users are tend to be a bit more techie and will have probably upgraded by now.
thank God the internet isn't a human right.
Ok, it's a combination of 1) the instructions are unclear (I opened the citibank webpage on step one when they were talking about the thing to click on) and 2) they appear now to have fixed whatever it was that couldn't tell that I had pop ups blocked. Now the vulnerability is clear, and the demonstration does work on my browser.
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
he said XHTML 1.0 STRICT, you flaming asshat.
The sometimes-used "telnettoport80" browser also seems to be unaffected, but I think it depends on how autonomous the wetware rendering engine is.
At best this seems like poor design happening at the level below the browser. If I read it right, once a window has been brought up, it can be referenced by any page running IN THE SAME BROWSER. Isn't that how it's supposed to work? A fix would be to re-write some design specs on the "pop-up" funtion itself and break all the pages that use it.
In my opinion, lets just turn off pop-ups in general and let the whole idea fade into obscurity. I hate it when pages do that anyway, I want to control where I'm viewing stuff, not the blasted site. What's the use of tabbed browsing when sites pop-up new windows anyway.
AB HOC POSSUM VIDERE DOMUM TUUM
...instead of Left Clicking, you _right click_ and open the window in a new tab. On the Secunia site where it states, "Test Now - With Pop-up Blocker - Left Click On This Link", instead right click on the link and choose Open in new tab. If you then click on the security alert, it appears to be the info from Citibank
I followed the instructions to the letter and it did not work. I tried both the "with popup blocker" and "without popup blocker" links, still didn't work. I tried the "improved" instructions suggested here, still didn't work. I refreshed the page and I repeated the instructions, still didn't work. I never got any popup or new window from secunia, just from citibank. This is with Firefox 1.0 on Fedora Core 2. I think I have to agree with others who believe this is not truly a "universal" exploit, in that some combination of settings appear to stop it from working in Firefox.
So, you've read Usability For Dummies, have you? First of all, while some "usability tests show that [dialog windows are a good thing]", just as many tests show that they're not. In other words, it really depends on the app and the implementation.
Second, HTML/Javascript has almost NO dialog windows. The only two such beasts being the alert and the confirm modal dialogs. Everything else is treated as separate (almost) top-level windows and clueless webmasters kludge these windows into dialog boxes. They sometimes even try to use these windows as modal dialogs... oh the humanity!
There are two big problems here: HTML/Javascript is a stinking pile of kludged shit for programing "applications", and too many clueless webmasters read one website about usability and think they've instantaneously become both usability experts AND GUI engineers. Please, you seem to know a little about usability, just enough to hurt everyone badly, either go back and leave it to the pros, or spend a LOT more time on it before you use it anywhere.
web developers who *are* actually concerned about standards are required to use Javascript to perform the pop-up behavior.
Who are these web developers and why haven't they been shot yet?? If a standard is so bad that it replaces a nice little feature with the biggest kludge in history, Javascript, the standard should NOT be followed by any sane developer.
The "without popups blocked" option opened a new tab for Citibank and then showed the correct Citibank popup.
The "with popups blocked" option was strange and "reverse hijacked". It opened the new tab for Citibank, and clicking on the image resized the whole window to the size of the popup and then changed the *secunia* site to the correct contents of the Citibank window!
The best part is, you can PROVE target="whatever" isn't valid anymore simply by using the W3C's site validator! I had no idea target was deprecated until I tried to validate some pages I did using XHTML-STRICT, and they failed.
An example of how to use the target attribute with XHTML-STRICT via DTD modules, so you get the benefit of both:
How to use the TARGET module with XHTML
Agreed, original poster is right, and granparent post is wrong. "Informative", indeed.
Actually, just last month, Michal Zalewski ran a trivial HTML monkey attack against most of the browsers out there. IE didn't have any problem with it, but he found many probably exploitable issues with all of the others.
Which doesn't change the fact that needless javascript is bad. It is.
he problem is that most of those sites make the redundant check compulsory.
... Even when he takes, for the same reason he disabled JS, more notice of what happens on the screen, and will probably pass the server-side check the first time.
That means that anyone with half-a-brain who has his Javascript disabled by default cannot access such a site
Seriously - when was the last time you heard of an exploit that used straight HTML? All of the recent exploits in ALL browsers, IE included, have been in either Javascript or Active-X, not in the core HTML rendering.
I couldn't agree more. I tested this in my regular IE browser and didn't have a problem, even without a popup blocker. Of course, it may have something to do with the fact that I have ALL scripting turned off in my security settings. (The only pop up windows I ever see are Microsoft's thinly disguised pop up advertisements for their active X BS. Anyone know how to turn that off?) In fact, I have damn near everything turned off in my security settings. If you want to run a program on my personal computer you might try calling me and asking my permission. If you don't know me that well you have no business trying to run programs on my computer.
I often run into web sites that are blank or don't work correctly. I have a choice then of adding them to my trusted sites list, or going in search of a competing source for what I am looking for. Since there are usually hundreds of sources on the Internet for anything you want, I tend not to add sites to the list. I figure that, if someone wants to start right off the bat running insecure programs on my computer without my permission they aren't worth dealing with anyway.
Interestingly, when I clicked the test link I got only a Citibank logo and a form that loaded very quickly. Then I added *.citibank.com to my trusted sites list. When I clicked the test link again, I got the same logo and form but it took about 5 times as long to load because it was surrounded by annoying animated Citibank advertising.
I have been running IE like this for years and I have never been hit by any of the "vulnerabilities" that seem to plague it. I run outlook express the same way and I have never been hit with an email virus in spite of receiving hundreds of them. I am no big fan of Microsoft but you can run this software securely if you just turn off all the BS. It also has the pleasant side effect of filtering out all the web sites and content created by complete morons.
this is loaner...my sig is in the shop
Konqueror 3.1.4-0.9x.1 Red Hat (Using KDE 3.1.4-0.9x.1 Red Hat) Java and Javascript enabled globally.
With smart pop-up blocking switched on I hit the 'with pop-up blocking' test link on the secunia site and got the citibank site in a new window with no pop-ups.
I turned off pop-up blocking and re-ran the test (after reloading the secunia page as advised and using the 'no pop-up blocker' link this time)
Citibank site appeared in a new window but no again no pop-ups appeared.
Closed citibank window, re-loaded secunia page to try again and the 'injected' pop-up appeared when the secunia page reloaded.
So basically the 'untrusted site' popped up a untrusted window, having first asked me to turn off pop-up blocking and turn on Javascript.
It seems to me (at least in my case) that basic, sensible precautions (use a pop-up blocker, don't enable Javascript and check the source URL of all windows with no URL bar) would keep me safe.
Am I missing something here??
~ Better a freak than a sheep. ~
;-)
Thanks for the explanation though.
You didn't specify - open the citibank site by following the link on the test page. It doesn't work if you open a new window, and then type in the address yourself, or follow a bookmark you already had.
Tat least, that's the case in IE6/XP XP1. Probably completely different in every other combination imaginable, the way people seem to be having trouble getting it to work...
Exactly - by doing a window.open with a target of _blank, only the script that opened the window would have a handle on the window, and the name would be unpredictable, making such spoofing attacks much harder.
Damn right. Most people seem to be using XHTML for the sake of it being newer than HTML, rather than for any practical reason; effectively people are embracing a technology which needs ugly hacks to shoehorn it into the HTML world (courtesy of those ultra-forgiving HTML parsers the same people tend to criticize), and they have almost nothing to show for it, bar a warm fuzzy feeling from thinking they're doing the Right Thing[TM].
(X-Phile #4)
Guess you haven't been reading Slashdot for the past six months. This is hardly Mozilla/Firefox's "first" vulnerability. Anyone remember Mozilla's bug that was marked "confidential" since 1999 and only got fixed when an exploit was out in the wild?
Didn't think so. That's because Slashdot sweeps OSS flaws under the rug.
XHTML 1.1 is merely a modular reimplementation of XHTML 1.0 Strict, which is merely an XML reimplementation of HTML 4.01 Strict. Target was deprecated in HTML 4.01, and simply doesn't exist in Strict, and ergo doesn't in the document types derived from it.
XHTML 1.1 also lacks the compatibility profile which "legitimizes" serving it as text/html, so unless you're doing content negotiation and some document transformation so it only goes to XHTML-aware clients, it's really not that useful.
which is basically never going to happen.
Thanks for the clarification. The moral of the story is: don't open popup windows, it is potentially insecure, it annoys users and it reduces the accessibility of your site.
..at least they can provide an alternative interface for those who don't have javascript. Whether they do this is a matter of how many people don't have javascript. lynx users for one.
If an idiot uses Thunderbird, he get gets riped off by a Nigerian !
Bug !!!!
Right, pffff.
Ernest J.W. ter Kuile
Sorry I just don't agree that the XHTML standard is bad. I take it that you don't consider the ESPN and Red Hat (there are many more) sites either "real-world" enough or they are "doing it wrong"?
Consider the HTML 4 spec, which is syntactically difficult to decipher. After writing XHTML pages for several years now (thanks, I'm not a newbie to the web standards world) it's impossible to go back to HTML 4 and have it actually make any sense. For every open tag, you need a closing tag, except if it's horizontal line or a line break or an input or a meta tag or an image or...
It's just ugly and difficult to parse. By using XHTML, any XML parser can read a document. It's simple, if there's an open tag, close it. If there's a stand-alone tag, it better have a self-closing end. That is just one small piece of what I like about XHTML.
Insisting that if a webpage meets the XHTML Strict spec, it doesn't work in IE is just pure ignorance. Yes, typically developers have to put a little extra work into their CSS to get their pages looking as good in IE as they do in Mozilla/Firefox/Netscape/Opera/Safari/etc...
I don't write webpages to look good in IE, I write webpages to meet a standard (that happens to look good in most browsers), then I tweak it to look good in IE. The only thing that's broken in that equation is IE, but we are forced to deal with their inadequecies.
I don't see how MS inventing their own standards is any different than the W3C making web standards. It just so happens that everyone but MS has adopted these standards and they actually make more sense from a semantics perspective.
BTW, you may want to check your sources since Anne van Kesteren has a XHTML Strict compliant site.
true, alternatives are necessary. Hoping javascript will just go away is not going to make it so, tho. :)
You are so right, he did say that. That'll teach me to post past bedtime.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
My original reply was way off. I missed the 'strict' part after 4.01. Sorry for the heat. You should see what the AC's said, made my ears turn red!
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
I sit corrected, djoham wasn't talking about HTML 4.0.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
Firefox 1.0, Gentoo Linux, no bug. And I doubt lynx would be affected either.
I'm not saying that XHTML is bad. I'm saying that doing XHTML properly can be a nightmare. And no, ESPN and Red Hat and many more don't do it right; go back to Evan Goer's X-Philes list and read the criteria. Or read my by-no-means comprehensive guide to some of the things you have to do just to switch from HTML 4.01 to XHTML 1.0, and remember that these languages are element-for-element identical.
And in XHTML you still don't have closing tags, you just have a closing slash on the opening tag; how is that any less confusing? And by the way, that closing slash is fine if you're doing XHTML and serving it with an XML or XHTML MIME-type, but if you serve it as text/html you're gonna give conformant SGML parsers fits (Google "SGML SHORTTAG" sometime). And there's nothing in HTML 4.01 that says you can't close your paragraphs and list items and lots of other elements... I close them because it's good coding practice no matter what version of HTML I'm using. You can do that too if you like.
You've obviously never met the Yellow Screen of Death. And if you seriously believe that parsing XML is as easy as "open the tag, close the tag", I recommend you hang out on XML-related mailing lists for a while. Or just read Sam Ruby's weblog.
No, it's not ignorance. Go read the article by Ian Hickson I linked in my last comment; if you won't take my word, maybe you'll listen to somebody who's worked on both Mozilla and Opera and who leads the WHAT-WG. This is not about CSS bugs or quirks or rendering differences. This is about the simple fact that XHTML, according to the W3C, should be served with the MIME-type application/xhtml+xml. No version of Internet Explorer ever released on any platform anywhere is capable of dealing with that MIME-type. If you give it a page marked as application/xhtml+xml, IE will prompt you to download the page or specify another application to handle it; it literally does not know what to do with such a document.
Now, with XHTML 1.0 you are allowed to continue serving as text/html so long as you meet the HTML Compatibility Guidelines outlined in Appendix C of the XHTML 1.0 spec. Best practice here is to use some form of content negotiation to send application/xhtml+xml to user-agents which support it. However, XHTML 1.1 makes no provision of any sort for this; XHTML 1.1 is to be served as application/xhtml+xml, which means that there is no such thing as a conformant XHTML 1.1 document which will display in Intern
Oh, and by the way: not only is your site not XHTML, it's not valid, it doesn't include a DOCTYPE, and it doesn't specify a character encoding. You might want to look into that, because if it were XHTML and you were serving it as XHTML, there's not a browser on earth that could display it.
Is it a namespace bug? What if I have one web server that accesses stuff on another web server? So I have my one site, site A, which has one set of content. And I have another site, site B, which has another set of content and passes some info back to site A.
Currently, from site A I can open a window to site B, do a little something, get some data back, and continue with more stuff on site A.
It amounts to a question of business requirements.
No, it amounts to a question of what is impossible to secure. If you want to share namespaces (or privileges) across sites, there needs to be an explicit mechanism, not "come one, come all" by default.
Now what? Of course, even if you figure out you don't want to do this, what are you going to key on to figure out whether sites are on the same server?
Straw man argument. You fell off the tracks when you started thinking in terms of having Javascript check things. Partitioning the namespace means there is no need to check. Now you need a mechanism to export trust when required, which probably already exists.
By the way, as I've said elsewhere, if they can get you to click an email link, they don't NEED all this popup magic. All they have to do is show you a spoof site. And that's not just easier, it's more reliable, too.
What you missed is, the real site looks real because it is real, it's not just a very good copy. And it acts real too. This greatly increases the victim's level of trust in the malicious popup.
When all you have is a hammer, every problem starts to look like a thumb.
You have raised some interesting thoughts which I haven't given much consideration in the past, the idea of the Content Type. Serving up a content type of xhtml+xml for XHTML documents makes sense from a technical point of view, but as you pointed out leads to some very undesirable effects in the browser (as does the declaration atop the page).
I appreciate this conversation and the opinions you've shared, I am learning that not everyone is a supporter of the W3C and their current direction (this is new to me). I am thinking I've had a jaded view through the last year or two because I'm a daily visitor to sites such as Mezzo Blue, Stop Design, A List Apart, etc...
I'd equate it to listening to Air America Radio exclusively or using Fox News as your news source, you become a little out-of-touch with what's really going on.
I've been using Mono for the last 6 months, PHP/Java for 5 years, and C#ASP.Net for 2 years. I use docbook or maybe TEI source documents for publishing, and Apache Cocoon as a framework. I've discovered remote root compromises in Netscape 2.
I'd leave it to "the pros" but they tend to fuck things up.
Lynx appears to be unaffected.
But my Lynx popup gave me ASCII Goatse
Table-ized A.I.
So there's a porn site for every person on Earth (except for the Chinese)!
99% of IFRAMEs on the net are used for ad banners.
The other 1% are used to exploit IFRAME vulnerabilities in IE.
Exactly what justification do you have for thinking I still need to view your entry tunnel?
;)
I was going to say something rude then, but I won't. This is a family web site.
As someone pointed out, way, way, down, it's not sufficient to just shut down all open MSIE windows. You have to open the task control dialogue (or whatever that thingy is called) and kill the ones that have gone faceless as well.
MSIE inherits an attitude of "Let's all share everything!" from MSWxxx (who got it from the old Macintosh's the-system-is-the-app approach, which was practically essential in those days of expensive GUI hardware).
Unfortunately, most other browsers imitate that to some extent, presumably because it has been hard to give the user an understandable widgit to tell the system to cut a group of sessions off from the rest of the tree, and hard to give the user feedback as to which windows are with which sessions.
Just another case of Microsoft misunderstanding the technology they expropriated and setting that wonderfully promiscuous example.
Doesn't work with tabs. Same for Konqueror.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The problems lies in the ability for the "evil" window to access the popup from citibank just because it knows it's name.
The browser/javascript API should be fixed/designed so that only the parent of a popup can access it.
Global variables aren't good for isolation. That's a pretty general security principle, which is pushed as far as it can in capability-secure systems for example, to ensure only the actors that need an authority can use it.
Actually, most people I know STILL haven't patched IE against that one exploit...
just tried their test in my safari browser and everything worked fine. no popup spoof for me.
I used to have a better sig than this, but I got tired of it
Example: (as mentioned,) sites that use Javascript to open windows. Granted, this practice came around before Opera/Mozilla introduced us to the wonders of tabbed browsing, but what's the point of pulling up a "diversionary" window and forcing the user to close it? Afraid they might not understand the concept of the "back" button?
Dumb example. This allows people to have more than one window open to work in. If you are working on a web *application* (which is what I do for a living) this is important.
For example: The site I built allows you to send messages to other users of the site. This can happen from anywhere in the site. This could be done one of two ways. Pop up or normal link. A normal link takes you to back button hell[1]. A pop up allows them to create the message without leaving their current work, and indeed they have the work in front of them to refer to if they need to.
[1] Back button hell is trying to work out which page they are supposed to return to when they click back. This could mean a page that includes a query string or a POST. The effect is that you need to store a list of pages visited and the POST and query string data. Complications are added when people switch back and forth between a couple of pages.
Example: using flash/java/shockwave/etc to perform functions that could be handled in HTML, especially now that we have DHTML.
What do you mean "now"? We have had DHTML as long as we have had Javascript. It just hasn't had as many features. But most of the currently used features of DHTML (aside from some CSS) were supported back in IE4.
A very good reason to use Java/Flash etc is that these perform better. I am currently looking at migrating a rather complex piece of DHTML to either Flash or Java for this very reason.
I have trouble with understanding the argument "we will be more successful if we deny access to some percentage of the population."
I have trouble understanding this attitude too. Fortunately that isn't the attitude we have here. The attitude here is that Flash/Java etc offer better functionality that we want to take advantage of. Coding DHTML sucks big time. It suffers serious limitation particluarly when you want to do something interesting with images.
meh
Get a grip.
Javascript can be used to save a round trip to the server. For example load up a js array of information, which is then loaded into s. This can greatly improve usability, as the site is much more responsive.
This goes equally for your comments on client side validation.
For some people usability is what counts.
meh
As with most malicious browser attacks, this one requires Javascript to be enabled. Anyone that has Java/Javascript enabled deserves just what they get.
Embarrassment. Couldn't get it to work in IE 6.0.2800-XP-SP2 (though I'm running on XP1). Must be something wrong with people's browsing habits. Oh, you browse with javascript enabled for all sites, by default? Well, um, *sigh*: trusting scripts from random sites? I don't think so: default ActiveX off, Java Off, Javascript Off, Cookies Off...etc...
:-)
Opening up my web browser to random scripts has never seemed like a great default no matter how "secure" the language is supposed to be. I worked in security -- I know what passes old C2/B1 or CC-CAPP/LSPP for commercial and federal "security" on OS's. Be afraid. Be very afraid.
Besides -- my boss told me not to fix bugs (including security bugs): It was "not a bug" unless found by a customer or by the security evaluation vendor. "If they don't find it, we don't gotta fix it". Simple as that. As for fixing customer bugs: fixing unfound customer bugs was against his policy as "found bugs" could be fixed with money from support-paying customers. Otherwise, what incentive is there for the customer to have to buy or pay for support?
When support became a profit center, fixing non-customer (or non security-eval-team) reported bugs became a fiduciary liability to stockholders. Employees who wasted company time fixing such bugs were liable to have it show up negatively on their performance reviews.
It is just another "cost-cutting" measure in a free-market economy.
-l
Best practice here is to use some form of content negotiation to send application/xhtml+xml to user-agents which support it.
This MIME type defeats progressive rendering in Mozilla, which makes the page appear much more slowly. Good reason not to use it on a commercial site -- HTML is just much better supported than XHTML even among the few browsers that care about XHTML at all.
No version of Internet Explorer ever released on any platform anywhere is capable of dealing with that MIME-type.
You miss the forest from the trees. IE doesn't support XHTML, So, IE is actually correctly not accepting a MIME type that it can't support. The fact that other browsers lie about their XHTML support makes it easier for developers, but it is not necessarily "correct".
Ultimately it's just a MIME type, nothing more. The abstract benefits of XHTML* are all still just as valid even if for practical reasons it's served with the wrong type.
* The real value with XHTML is content managment systems and parsing scripts. Graphical Web Browsers do such a damn good job with HTML parsing that there's very little payback delivering 100% XHTML to eyeballs.
Whenever I hear the word 'Innovation', I reach for my pistol.
I read all of those sites, too, and I'm read several standards working-group mailing lists. I don't dislike the W3C and I don't dislike standards; in fact, quite the opposite. I just know that in the particular case of XHTML it's not as cut-and-dried as people often make it out to be, and there are a lot of people who simply are not doing XHTML correctly. And if we start out with people not following the standard, we end up in the same place we did with traditional HTML -- browsers will have to work around the parts of the spec people are ignoring, and start accepting certain errors because they're everywhere. That's a Very Bad Thing in my book, so I want people to get it right from the start this time around.
Mozilla and others do actually have XHTML support; serve them XHTML with the proper MIME-type and they parse as XML, applying all of XML's constraints. You do lose progressive rendering in Mozilla and that's a bug, but no spec anywhere says that browsers have to support that feature. Internet Explorer, on the other hand, has a validating XML parser to draw on (MSXML), but for some reason won't put it to use when it encounters an applicatin/foo+cxml media type.
The benefits of XHTML are things like being able to use an XML parser, which you can't do if you're sending your XHTML as text/html. They're things like embedding other XML languages in your HTML content, which you can't do if you're sending your XHTML as text/html. In fact, you lose the eXtensibility of XHTML when you don't serve it as XML, since then you can't use any of XML's extensibility.
The only thing you can do is pretend, before you serve it to a user-agent, that it's XML. Which I guess makes some people happy, but when you go and break the spec on the journey to the client it does tend to bug me a bit. If you're gonna do all that crap on the server-side, use XSLT at the last step to transform to HTML 4.01 Strict or something so at least you'll be sending what you claim you're sending.
A lot of unconvenient features are also possible with Javascript as well, so the convenience argument cuts both ways.
It's really, really, really convenient to have trusted live data. You can get up to all sorts of neat tricks. Of course, it's also really convenient to skip all this nonsense about accounts and passwords; it's convenient to use telnet instead of ssh; it's convenient to leave your keys in your car, or to do away with keys entirely and just have a 'starter button'.
The downside is that you get a lot of "I didn't mean for THAT to happen". The consequences of convenience are paid somewhere.
Well, as I disable/filter-out Javascript, it won't work at all for me, which makes such pages REALLY inconvenient. So "less convenient for the user" isn't really a good point.It's less convenient for you, in that it's more work and hassle. But then, checking for possible errors, avoiding buffer overflows, and all that fun stuff is also more work and hassle than assuming everything will work correctly all of the time. There are times when that's okay (only you will be using your programs and you don't mind the extra work when you run the program), and there are times when it isn't (Aunt Tillie uses a proxy that filters out all javascript to protect her from cross-site scripting attacks).
Standard programming tradeoff. Someone has to put up with the hassle; should it be the users, or the programmers?
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
This slashdot is just too funny.
Even -after- I get flamed for my poorly thought out post (complete with factual errors and faulty reasoning) , -and- admit that I'm wrong, my original reply gets modded to +5. I guess the mods just didn't read my PS. very carefully.
djoham, that your post is at only +2 a.t.m. is proof that the crack problem has not gone away.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
But you know what? Dissable Javascript then go back and try to use the form again*.
Just because most people are too lazy to write decent web apps, doesn't mean it's not possible, or that Javascript is evil.
* For those that can't be bothered dissabling Javascript; the page looks and acts pretty much the same, but with some reloading.
Ok, the directions didn't make too much sense to me, but anyway...
1. Open citibank webpage.
2. Click their "magic" link.
3. Go back to the citibank webpage. NOW click the "Consumer Alert" page. Viola! Secunia page appears.
What does it mean?
Don't view p9rn while doing your banking!
--LWM
I don't mind someone else using javascript (so long as they don't whine about cross-site scripting attacks, annoying popups, pr0n pages that Won't Go Away, and suchlike) if they choose to take the risks. My only problem is with web-site developers that demand that users enable javascript.
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
> they parse as XML, applying all of XML's constraints
And this benefits the guy reading ESPN.com how?
> no spec anywhere says that browsers have to support [progressive rendering]
Also, no spec says it shouldn't take 60 seconds for your home page to load or that you shouldn't start a popup storm on the user's system. Your preference for hidden protocol details over an optimal user experience makes you seem a bit quacky here. You might want to rethink your position.
> Internet Explorer, on the other hand, has a validating XML parser to draw on (MSXML), but for some reason won't put it to use
Yes, IE sucks. However, you seem to be suggesting that it suck more by misadvertising it's features.
> In fact, you lose the eXtensibility of XHTML when you don't serve it as XML
Not at all. Your client applicaiton can still treat the page as XML no matter what the MIME type is. The type is a useful hint, that's all.
> use XSLT at the last step to transform to HTML 4.01 Strict
Is there some part of XHTML that is invalid HTML? This seems unnecessary. Not that neccessity would enter into your thinking.
Whenever I hear the word 'Innovation', I reach for my pistol.
I mean...geez!
Right now it doesn't. There's absolutely zero benefit to ESPN.com being marked up in XHTML. Which is why I initially asked whether HTML 4.01 had suddenly been erased from all memory, because it's easier to do right.
You might want to not put words in my mouth. There's a difference between standards and best practices; standards say nothing on the subject of progressive rendering, but best practices say it's a good thing.
No, I want it to either A) stop claiming it supports XHTML or B) start supporting XHTML.
While we're at it, let's just ignore the Content-TYpe header entirely and try to guess what the file is by its first few bytes. Yeah, that's a real great idea, I wonder why nobody's ever tried that before...
Yes, there is. For example, consider the XHTML line break tag, <br /> . There are two ways for an SGML-based HTML parser (e.g., an HTML 4.01 parser) to interpret this:
So either your page is invalid, or it displays something different from what you intended. Those are some appetizing options, aren't they?
Of course, if they don't enable Javascript, the site is just broken, so there's no improvement at all, and to such a user, the "improved" site is far worse than the old one.
You have to verify all that data again on the server and provide an appropriate response in case of missing or invalid information. It's redundant. This isn't necessarily bad, so long as some bright programmer doesn't eliminate the redundancy by yanking it out of the server-side (Look! It speeds things up!).This means that users who disable javascript might have three or four submissions that are rejected by the server instead of the nice realtime "this is what you have missing" interface that you get with javascript, but That's Okay, if that's what they choose.
But only the ignorant or the incompetent rely on client-side validation. It's potentially useful as an optimization, but that's it.
Exactly. And if I disable Javascript -- my computer, my choice, right? (if not, I expect you to be running a system that can handle ActiveX and aren't using anything like a popup blocker) -- many sites that rely on Javascript are totally unusable.And that's the root of the problem.
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
OK. I tried this in Galeon, and clicking the secunia link just opens a fourth window with the Citibank index page.
You mean, "join the herd", apparently
/. has some people who are an amazing combination of technology freak and luddite. People like yourself.
There is a balance between the two extremes, you lean to the luddite* end. Good for you.
The fact remains that javascript is enabled on a very large proportion of the people who surf the web. I use that and will continue to do so.
Of course, if they don't enable Javascript, the site is just broken, so there's no improvement at all, and to such a user, the "improved" site is far worse than the old one.
Everying thing you say starts from a platform that javascript is bad. You have not justified this position.
But only the ignorant or the incompetent rely on client-side validation. It's potentially useful as an optimization, but that's it.
Sure, but the way I do validation detailed information on the error is displayed at client side. When you get an error on the server side the error message will not tell you where the error even is.
I will not waste my time writing code to provide detailed error messages for a very small proportion of website users. That is a poor use of my time.
Exactly. And if I disable Javascript -- my computer, my choice, right? (if not, I expect you to be running a system that can handle ActiveX and aren't using anything like a popup blocker) -- many sites that rely on Javascript are totally unusable.
Good for you. It is your choice to make sites unusable. I have issues with Javascript that is not cross browser compatible. But Javascript is enabled in most browsers out there. It is here to stay. If you choose to move to the minority you have to live with the consequences.
I find it amazing that
* Luddite in the sense that it is used today, ie someone opposed to technology for no good reason. This is distinct to the original Luddites.
meh
You missed my points by a mile.
a) "convenient" is used in a very strict sense here. Telnet isnt' more convenient than SSH, because SSH is just as good to use, and the install work is minor. However, doing things in a few clicks is convenient, while doing the same things in 25 steps is not. Don't confuse convenience with laziness.
b) I have gone to great pains to make sure my pages are useable to non-javascript users. The javascript-reliant features won't work, so (for example) the low-frame status bar won't update for you. You lose a feature, but you don't lose the entire site.
c) I did include "error-prone" for a reason. I don't consider checking for valid input a hassle. But it should be obvious that if I have to write a 200 line pure-HTML workaround, the chance for errors in that is higher than a 20 line javascript.
d) The point was that there are some places where all parties find it more convenient, easier and generally better with than without Javascript. It's not a matter of "oh, this is easier for me, screw the user". It's a matter of "I can do it in 2 pages and give the users a nice feature with javascript, or I have to write 10 pages and the users get the same or even less in functionality".
Assorted stuff I do sometimes: Lemuria.org
If you truly can get all parties to agree, then you're dealing with a closed system, and it makes sense to do whatever you want. That still leaves the question as to how ill-equipped are the users to make informed decisions? (Presumably, if they've hired you, they've hired you for your expertise, and you are their informed decision.)
And as it's a closed system, you could just as well get away with a standalone application. "Live data" and "untrusted programs" don't apply anymore.
As to point (a) -- telnet is more convenient, at least to me, than ssh, in that I can monitor the network to see what's actually going across the wire, and when. It helps tremendously when you're trying to debug a network problem... but that's just my point of view.
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
Um... "having JavaScript check things"??? Nooooo, I meant having the web browser's javascript system handle the checks. Not unlike what you're suggesting, only different checks. But then, this is slashdot. Responding to the same thing I said would be a faux pas.
bottom line: if you're going to go to your online bank, you usually open up your browser, type in the URL, and go. You don't go to a magic hacker site and click a link. So this is of limited scary-scary value.
Farewell! It's been a fine buncha years!
The problem is that I've been on the wrong side of that, and was informed that all parties found it more convenient. Except that I didn't, therefore, the assertion was too strong.
;-)
That's a matter of exactness. Most people say "all" or "everyone", but actually mean "99.9%" or "everyone I know/care about".
There is a point where I agree with them. I've around 1000 players in my game. I will certainly care for something that matters to 10 of them. Whether or not I care for something that only one person dislikes depends entirely on my mood.
As for the telnet point - it doesn't justify using telnet all the time if you actually need it only seldom. That's laziness, not convenience.
(of course, your network might be troubled all the time, in which case you should disregard that point and find a new network admin).
Assorted stuff I do sometimes: Lemuria.org
I require JavaScript for my site, on the logon page.
SSL from a web browser cannot be trusted if an internet accelerator or other proxy server, such as Squid, is running. No other authentication method is either supported by every browser or does not pose a serious security risk.
So my option is to use JavaScript and SHA1 and OTP to secure the password, and run on every JavaScript enabled browser, or to use some other mechanism and risk exposure of personal data about my users to unauthorized third parties.
If your code is acting bloated, and is running rather slow, it's likely and predicted that some loops you will unroll.
Of course, I also think a lot of people say "all" or "everyone" when they actually mean "55% or more", and say "most" if they mean "40% or more".
Heh.You're better than, er, "most".Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)