[WEB SECURITY] Interesting method of conducting XSS attacks in Firefox and Attacks on web sites via mod-itk
mustlive at websecurity.com.ua
Fri Sep 21 15:00:10 EDT 2012
Hello participants of Mailing List.
In May 2011 and in September 2012, I've wrote two articles. Request full
translation of any of them if needed.
I'll tell you briefly about my articles concerning interesting method of
conducting XSS attacks in Firefox and attacks on web sites via mod-itk.
These topics should be interesting for you (especially for those, who
haven't read them before).
1. Interesting method of conducting XSS attacks in Firefox.
In this article I've told about one method of conducting XSS attacks in
Firefox. It's based on a feature of Gecko-based browsers, about which I know
since 2006 and use for XSS attacks, but in 2011 I've enhanced this attack
during security audit of web site of my client. This technique can be used
for bypassing protections against XSS - built-in at web sites or WAFs.
This browser feature was removed in Firefox 4. The attack works in Firefox
3.0.19, 3.5.19, 3.6.28 and previous versions.
2. Attacks on web sites via mod-itk.
In this article I've told about attacks on web sites via mod-itk module for
Apache. The mod_itk (mpm-itk) is a security module, but with not secure
enough configuration it can bring serious security issue to web server (such
as PHP code execution), even on web sites which are secure at web server
without this module. In June I've informed about it the developer of this
module and the developers of Apache. I've tested this attack on WordPress,
but any web applications with file editing functionality can be used for it.
Best wishes & regards,
Administrator of Websecurity web site
More information about the websecurity