User: Password:
Subscribe / Log in / New account


Finding bugs lurking in the DOM

By Jake Edge
January 30, 2008

The Document Object Model (DOM) for HTML is quite useful for handling a variety of dynamic effects for web pages, but it is complex. It interacts with Javascript and CSS (or they with it) in ways that are sometimes surprising—the DOM has often been the source of browser bugs. A new project, from well-known DOM bug finder Michal Zalewski, seeks to systematically exercise the DOM in browsers to eliminate as many holes as it can.

The project, with the unassuming name of DOM access checker (or dom-checker) was just announced on the full-disclosure mailing list (along with Bugtraq and others). Zalewski and colleague Filipe Almeida, both of Google, describe their tool as follows:

DOM access checker is a tool designed to automatically validate numerous aspects of domain security policy enforcement (cross-domain DOM access, Javascript cookies, XMLHttpRequest calls, event and transition handling) to detect common security attack or information disclosure vectors.

[DOM Checker]

The checker consists of a three HTML files and a Javascript configuration file that can be loaded from the internet via HTTP (a live version is available from the project website) or from the local disk, using the file:// protocol. Ideally, they should be loaded from both places and give the same results. The screenshot for a sample run using Firefox 3 (Fedora/3.0b3pre-0.beta2.12.nightly20080121.fc9 for the curious) is at left.

After pressing the "Click here to begin tests" button, the Javascript test harness runs 15 major tests, each with many separate subtests. Each subtest reports success or failure to the screen as it runs. Firefox 3 failed 15 of the 1500 or so checks in the standard set of tests.

According to the announcement, "DOM Checker had been used to find a number of major security bypass and information disclosure problems in several popular browsers." Zalewski and Almeida worked with the browser teams to resolve the most serious issues. But, common browsers will still fail up to 30 of the less important tests—for privacy, rather than security, holes.

The hope is that the browser vendors pick up these tests to use as part of their quality assurance process. They could also be used for regression testing to find problems that have crept in while fixing other bugs or adding new features. The checker is a framework that could easily be extended with additional tests covering other areas of DOM functionality. With the advent of AJAX, DOM manipulations via Javascript are being used more and more by web sites, so tools to discover these kinds of bugs are welcome.

Comments (5 posted)

New vulnerabilities

gforge: cross-site scripting

Package(s):gforge CVE #(s):CVE-2007-0176
Created:January 28, 2008 Updated:January 30, 2008

From the NVD entry:

Cross-site scripting (XSS) vulnerability in search/advanced_search.php in GForge 4.5.11 allows remote attackers to inject arbitrary web script or HTML via the words parameter.

Debian DSA-1475-1 gforge 2008-01-26

Comments (none posted)

icu: arbitrary code execution

Package(s):icu CVE #(s):CVE-2007-4770 CVE-2007-4771
Created:January 25, 2008 Updated:May 15, 2008
Description: From the Red Hat advisory: Will Drewry reported multiple flaws in the way libicu processed certain malformed regular expressions. If an application linked against ICU, such as, processed a carefully crafted regular expression, it may be possible to execute arbitrary code as the user running the application.
Gentoo 200805-16 openoffice 2008-05-14
SuSE SUSE-SA:2008:023 OpenOffice_org 2008-04-18
Ubuntu USN-591-1 icu 2008-03-24
Debian DSA-1511-1 libicu 2008-03-03
Gentoo 200803-20 icu 2008-03-11
SuSE SUSE-SR:2008:005 acroread, asterisk, cacti, compat-openssl097g, icu, libcdio, wireshark/ethereal, Jakarta, perl-tk 2008-03-06
rPath rPSA-2008-0043-1 icu 2008-02-06
Mandriva MDVSA-2008:026 icu 2008-01-25
Fedora FEDORA-2008-1036 icu 2008-01-27
Fedora FEDORA-2008-1076 icu 2008-01-27
Red Hat RHSA-2008:0090-01 icu 2008-01-25

Comments (none posted)

kernel: several vulnerabilities

Package(s):linux-2.6 CVE #(s):CVE-2007-2878 CVE-2007-6151
Created:January 29, 2008 Updated:January 8, 2009
Description: From the Debian advisory: Bart Oldeman reported a denial of service (DoS) issue in the VFAT filesystem that allows local users to corrupt a kernel structure resulting in a system crash. This is only an issue for systems which make use of the VFAT compat ioctl interface, such as systems running an 'amd64' flavor kernel. ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory leading by issuing ioctls with unterminated data.
Red Hat RHSA-2008:0787-01 kernel 2009-01-05
Red Hat RHSA-2009:0001-01 kernel 2009-01-08
SuSE SUSE-SA:2008:032 kernel 2008-07-07
Mandriva MDVSA-2008:112 kernel 2007-06-12
CentOS CESA-2008:0211 kernel 2008-05-07
Red Hat RHSA-2008:0211-01 kernel 2008-05-07
Mandriva MDVSA-2008:086 kernel 2008-04-15
SuSE SUSE-SA:2008:017 kernel 2008-03-28
Debian DSA-1504 kernel-source-2.6.8 2008-02-22
Debian DSA-1503 kernel-source-2.4.27 2008-02-22
Debian DSA-1503-2 kernel-source-2.4.27 2008-03-06
Ubuntu USN-578-1 linux-source-2.6.15 2008-02-14
SuSE SUSE-SA:2008:007 kernel 2008-02-12
Ubuntu USN-574-1 linux-source-2.6.17/20/22 2008-02-04
Red Hat RHSA-2008:0055-01 kernel 2008-01-31
Debian DSA-1479 linux-2.6 2008-01-29

Comments (none posted)

mysql: buffer overflows

Package(s):mysql-dfsg-5.0 CVE #(s):CVE-2008-0226 CVE-2008-0227
Created:January 29, 2008 Updated:July 21, 2008
Description: From the Debian advisory: Luigi Auriemma discovered two buffer overflows in YaSSL, an SSL implementation included in the MySQL database package, which could lead to denial of service and possibly the execution of arbitrary code.
Mandriva MDVSA-2008:150 mysql 2007-07-19
Ubuntu USN-588-2 USN-588-1 fixed 2008-04-02
Ubuntu USN-588-1 mysql-dfsg-5.0 2008-03-19
rPath rPSA-2008-0040-1 mysql 2008-02-05
Debian DSA-1478-1 mysql-dfsg-5.0 2008-01-28

Comments (none posted)

netkit-ftpd: denial of service

Package(s):netkit-ftpd CVE #(s):CVE-2007-6263
Created:January 30, 2008 Updated:January 30, 2008

From the Gentoo advisory:

A remote attacker can send specially crafted FTP data to a server with passive mode and SSL support, causing the ftpd daemon to crash.

Gentoo 200801-17 netkit-ftpd 2008-01-29

Comments (none posted)

ngircd: denial of service

Package(s):ngircd CVE #(s):CVE-2008-0285
Created:January 28, 2008 Updated:January 30, 2008

From the NVD entry:

ngIRCd 0.10.x before 0.10.4 and 0.11.0 before 0.11.0-pre2 allows remote attackers to cause a denial of service (crash) via crafted IRC PART message, which triggers an invalid dereference.

Gentoo 200801-13:02 ngircd 2008-01-27

Comments (none posted)

pulseaudio: ignores setuid() return value

Package(s):pulseaudio CVE #(s):CVE-2008-0008
Created:January 25, 2008 Updated:February 14, 2008
Description: Pulseaudio ignores setuid() return value. A user can cause the call to fail by exhausting the resources in some cases.
Gentoo 200802-07 pulseaudio 2008-02-13
Ubuntu USN-573-1 pulseaudio 2008-01-31
Mandriva MDVSA-2008:027 pulseaudio 2007-01-25
Debian DSA-1476-1 pulseaudio 2008-01-27
Fedora FEDORA-2008-0994 pulseaudio 2008-01-24
Fedora FEDORA-2008-0963 pulseaudio 2008-01-24

Comments (none posted)

tikiwiki: multiple vulnerabilities

Package(s):tikiwiki CVE #(s):CVE-2007-6528 CVE-2007-6526 CVE-2007-6529
Created:January 24, 2008 Updated:January 30, 2008
Description: From the Gentoo alert:

Jesus Olmos Gonzalez from isecauditors reported insufficient sanitization of the "movies" parameter in file tiki-listmovies.php (CVE-2007-6528).

Mesut Timur from H-Labs discovered that the input passed to the "area_name" parameter in file tiki-special_chars.php is not properly sanitised before being returned to the user (CVE-2007-6526).

redflo reported multiple unspecified vulnerabilities in files tiki-edit_css.php, tiki-list_games.php, and tiki-g-admin_shared_source.php (CVE-2007-6529).

Gentoo 200801-10 tikiwiki 2008-01-23

Comments (none posted)

yarssr: arbitrary code execution

Package(s):yarssr CVE #(s):CVE-2007-5837
Created:January 28, 2008 Updated:January 30, 2008

From the NVD entry: in yarssr 0.2.2, when Gnome default URL handling is disabled, allows remote attackers to execute arbitrary commands via shell metacharacters in a link element in a feed.

Debian DSA-1477-1 yarssr 2008-01-27

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds