0day.today - Ce-a mai mare baze de date de exploit-uri din lume.
![](/img/logo_green.jpg)
Folosim un singur domeniu DOMAIN_LINK
Dacă dorești să cumperi un exploit sau să platești pentru un serviciu, trebuie să cumperi Gold. Nu dormim să folosim site-ul pentru scopuri informatice negative (hacking), prin urmare orice tip de acțiune de hacking care poate afecta ilegal alți utilizatori sau pagini web la care nu ești proprietar va fi pedepsită cu blocarea contului permanentă incluzand distrugerea datelor tale care aparțin de cont.
Administrația acestui website folosește adresele oficiale de contact. Atenție la impostori!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Citiți [ acordul ]
- Citiți [ trimite ] reguli
- Vizitați [ Întrebări frecvente. ] pagină
- [ Înregistrare ] profil
- Obține [ GOLD ]
- Dacă dorești să [ vinzi ]
- Dacă dorești să [ cumperi ]
- Dacă ați pierdut [ cont-ul vizitați această pagină. ]
- Orice întrebări [ [email protected] ]
- Pagină de autorizare
- Pagină de Înregistrare
- Pagină de restaurare a unui cont
- Pagina FAQ
- Pagina de contact
- Regulamentul pentru post-uri
- Pagina de acorduri
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Ne puteți contacta prin:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WebKit - Universal XSS Using Cached Pages Exploit
VULNERABILITY DETAILS ``` void FrameLoader::detachChildren() { [...] SubframeLoadingDisabler subframeLoadingDisabler(m_frame.document()); // ***1*** Vector<Ref<Frame>, 16> childrenToDetach; childrenToDetach.reserveInitialCapacity(m_frame.tree().childCount()); for (Frame* child = m_frame.tree().lastChild(); child; child = child->tree().previousSibling()) childrenToDetach.uncheckedAppend(*child); for (auto& child : childrenToDetach) child->loader().detachFromParent(); } ``` When a cached page is being restored, and the page that's being navigated away is not cacheable, there exists a time frame during which two documents are attached to the same frame. If an attacker finds a way to run JS during this time frame, she will be able to use one of the documents to execute JavaScript in the context of the other one. One possible call stack that might lead to JS execution is: ``` a child frame's unload handler ... ContainerNode::disconnectDescendantFrames() Document::prepareForDestruction() FrameLoader::clear() FrameLoader::open() ``` By the time `FrameLoader::clear` is called, child frames are usually already disconnected from the document via ``` FrameLoader::detachChildren() FrameLoader::setDocumentLoader() FrameLoader::transitionToCommitted() ``` However, the attacker can initiate a new page load inside `detachChildren` to bypass `SubframeLoadingDisabler` and create a new child frame. Note that it won't cancel the cached page load. The attack has a restriction that significantly limits its applicability -- a victim page should load a (potentially sandboxed) <iframe> with attacker-controlled content, so the attacker's JS has a chance to run inside `Document::prepareForDestruction`. This is the case, for example, for online translators. VERSION WebKit revision 246194 It's unclear whether the bug is exploitable in Safari 12.1.1. The repro case seem to have an issue with a nested `showModalDialog` call. REPRODUCTION CASE The test case again relies on `showModalDialog` to perform synchronous page loads. Moreover, the code is wrapped inside a `showModalDialog` call to keep a user gesture token active throughout its execution. CREDIT INFORMATION Sergei Glazunov of Google Project Zero Proof of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47453.zip # 0day.today [2024-07-01] #