LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Security

Leaking browser history

By Jake Edge
June 25, 2008

Browser history is fairly sensitive information for most people. If there were a way for random web sites to grab a list of other sites you have visited recently, it would cause a fair amount of concern. Unfortunately, a longstanding problem in the HTML Document Object Model (DOM) makes for an information leak nearly as bad as that.

The problem stems from the handy feature that browsers implement to show you which links you have already visited. The way that they show links in a different color if you have visited them is by turning on the "visited" style for the link. Many sites, such as LWN, then change the default colors for both visited and non-visited links via the site's Cascading Style Sheet (CSS). This information gets recorded in the DOM for the page which can be queried from Javascript.

Because of the nature of the leak, scripts cannot get a full dump of the browser's history, but they can get the visited status for a set of sites they are interested in. A web site that wishes to gather this kind of information need only add a link to each site of interest—often in an unreadable font size or color—and send over a bit of Javascript to read the DOM status for each link.

While this problem has been known since at least 2002, there is no easy fix while still being compliant with the CSS standard. Because of that, most or all browsers are vulnerable. It has recently been in the news because it is being used in a benign, or at least semi-benign, way.

These days many news sites and blogs have small images that correspond to various social networking sites—digg, reddit and the like—that allow voting on particular stories or postings. Those images are buttons that register a vote or submission of the site that displays them. With the proliferation of these sites, a great deal of screen real estate was being taken up by these icons, many of which were not useful because the person viewing them never visited those particular sites.

To reduce the clutter, Aza Raskin created some Javascript code to determine which of the social networking sites a particular user had visited so that only the icons for those sites were displayed. Many people would find that to be a useful hack, one that was fairly minimally intrusive, which it is at some level. Others, with a more strict personal privacy desire, might find it more than a bit creepy.

Reducing clutter is one thing, but this technique can be used to gather much more sensitive information than which of the many social networking "news" sites you visit. It is tempting to remind readers of the NoScript Firefox extension, but it has become increasingly difficult to do nearly anything on the web without enabling Javascript. Many sites essentially hide their content behind a Javascript test, refusing to display it unless Javascript is enabled.

This makes it difficult to avoid giving away some of your browsing history to dodgy sites—or those with cross-site scripting vulnerabilities—other than by avoiding them entirely. It is an unfortunate side effect of a useful property that, as the discussion on the Mozilla bugzilla shows, will be difficult to completely eliminate. It should be noted that the links do not have to be obfuscated—by adding a dash of Javascript LWN could know whether you have visited digg or reddit. But, of course, we don't force Javascript on our readers.

Comments (25 posted)

New vulnerabilities

clamav: denial of service

Package(s):clamav CVE #(s):CVE-2008-2713
Created:June 23, 2008 Updated:August 13, 2008
Description: Versions of clamav prior to 0.93.1 can be made to perform an out-of-bounds read with a specially-crafted file, leading to a denial of service vulnerability.
Alerts:
Mandriva MDVSA-2008:166 2007-08-12
Gentoo 200808-07 2008-08-08
Fedora FEDORA-2008-6338 2008-07-17
SuSE SUSE-SR:2008:015 2008-07-18
Fedora FEDORA-2008-6422 2008-07-17
Debian DSA-1616-2 2008-07-26
Debian DSA-1616-1 2008-07-24
SuSE SUSE-SR:2008:014 2008-07-04
Mandriva MDVSA-2008:122 2007-06-24
Fedora FEDORA-2008-5476 2008-06-20

Comments (none posted)

fetchmail: denial of service

Package(s):fetchmail CVE #(s):CVE-2008-2711
Created:June 20, 2008 Updated:July 29, 2008
Description: From the CVE entry: fetchmail 6.3.8 and earlier, when running in -v -v mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which is not properly handled when using vsnprintf to format log messages.
Alerts:
Slackware SSA:2008-210-01 2008-07-29
rPath rPSA-2008-0235-1 2008-07-28
Fedora FEDORA-2008-5789 2008-06-28
Fedora FEDORA-2008-5800 2008-06-28
Mandriva MDVSA-2008:117 2007-06-19

Comments (none posted)

gallery: multiple vulnerabilities

Package(s):gallery CVE #(s):CVE-2008-2720 CVE-2008-2721 CVE-2008-2722 CVE-2008-2723 CVE-2008-2724
Created:June 23, 2008 Updated:June 25, 2008
Description: Gallery suffers from a number of vulnerabilities, including cross-site scripting, information disclosure, permission escalation, and authentication bypass. Version 2.2.5 fixes these problems; see the release announcement for details.
Alerts:
Fedora FEDORA-2008-5576 2008-06-20
Fedora FEDORA-2008-5479 2008-06-20

Comments (none posted)

horde: cross-site scripting

Package(s):horde CVE #(s):
Created:June 25, 2008 Updated:June 25, 2008
Description: The Horde application framework suffers from a cross-site scripting vulnerability which is exploitable by authenticated users. The 3.2.1 release fixes the problem.
Alerts:
Fedora FEDORA-2008-5683 2008-06-25
Fedora FEDORA-2008-5691 2008-06-25

Comments (none posted)

IBM JDK/JRE: multiple vulnerabilities

Package(s):ibm-jdk-bin CVE #(s):
Created:June 25, 2008 Updated:June 25, 2008
Description: The IBM Java development kit and runtime environment (prior to versions 1.5.0.7 and 1.4.2.11) suffer from a number of remotely-exploitable code execution vulnerabilities.
Alerts:
Gentoo 200806-11 2008-06-25

Comments (none posted)

kernel: information disclosure

Package(s):kernel CVE #(s):CVE-2008-2729
Created:June 25, 2008 Updated:August 27, 2008
Description: The kernel memory copy routines (on the x86_64 architecture only) do not always zero memory at the destination location, potentially leaking data.
Alerts:
Debian DSA-1630-1 2008-08-21
Mandriva MDVSA-2008:174 2008-08-19
Ubuntu USN-625-1 2008-07-15
CentOS CESA-2008:0508 2008-06-27
CentOS CESA-2008:0519 2008-06-26
Red Hat RHSA-2008:0519-01 2008-06-25
Red Hat RHSA-2008:0508-01 2008-06-25
Red Hat RHSA-2008:0585-01 2008-08-26

Comments (none posted)

kernel: information disclosure

Package(s):kernel CVE #(s):CVE-2008-0598
Created:June 25, 2008 Updated:November 20, 2008
Description: From the Red Hat advisory: Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local unprivileged user to prepare and run a specially crafted binary, which would use this deficiency to leak uninitialized and potentially sensitive data.
Alerts:
Debian DSA-1630-1 2008-08-21
Ubuntu USN-625-1 2008-07-15
CentOS CESA-2008:0508 2008-06-27
CentOS CESA-2008:0519 2008-06-26
Red Hat RHSA-2008:0519-01 2008-06-25
Red Hat RHSA-2008:0508-01 2008-06-25
Ubuntu USN-637-1 2008-08-25
SuSE SUSE-SA:2008:047 2008-10-01
SuSE SUSE-SA:2008:048 2008-10-01
SuSE SUSE-SA:2008:049 2008-10-02
Mandriva MDVSA-2008:220 2008-10-29
Mandriva MDVSA-2008:220-1 2008-11-19

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2008-2365
Created:June 25, 2008 Updated:July 16, 2008
Description: A race condition in the ptrace() system call can be exploited by a local user to hang the system.
Alerts:
Ubuntu USN-625-1 2008-07-15
CentOS CESA-2008:0508 2008-06-27
Red Hat RHSA-2008:0508-01 2008-06-25

Comments (none posted)

nasm: off-by-one error

Package(s):nasm CVE #(s):CVE-2008-2719
Created:June 23, 2008 Updated:October 1, 2008
Description: From the CVE entry: Off-by-one error in the ppscan function (preproc.c) in Netwide Assembler (NASM) 2.02 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted file that triggers a stack-based buffer overflow.
Alerts:
Mandriva MDVSA-2008:120 2008-06-21
Ubuntu USN-648-1 2008-09-30

Comments (none posted)

phpMyAdmin: cross-site scripting

Package(s):phpMyAdmin CVE #(s):
Created:June 25, 2008 Updated:June 25, 2008
Description: phpMyAdmin suffers from cross-site scripting vulnerabilities in several library scripts. From the advisory: "We were able to reproduce this only on systems where both of these conditions are true: the PHP register_globals setting is 'on' and the web server does not apply the settings contained in the .htaccess file that we placed in /libraries."
Alerts:
Fedora FEDORA-2008-5676 2008-06-25
Fedora FEDORA-2008-5640 2008-06-25

Comments (none posted)

ruby: multiple vulnerabilities

Package(s):ruby CVE #(s):CVE-2008-2662 CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726
Created:June 25, 2008 Updated:October 10, 2008
Description: The ruby language suffers from a number of denial-of-service and code execution vulnerabilities; see this advisory for details.
Alerts:
Debian DSA-1612-1 2008-07-21
CentOS CESA-2008:0562 2008-07-15
Mandriva MDVSA-2008:140 2008-07-09
Debian DSA-1618-1 2008-07-26
CentOS CESA-2008:0561 2008-07-14
Red Hat RHSA-2008:0561-01 2008-07-14
Mandriva MDVSA-2008:142 2008-07-09
Mandriva MDVSA-2008:141 2007-07-09
Fedora FEDORA-2008-6094 2008-07-04
Fedora FEDORA-2008-6033 2008-07-03
Slackware SSA:2008-179-01 2008-06-30
Ubuntu USN-621-1 2008-06-26
rPath rPSA-2008-0206-1 2008-06-26
Fedora FEDORA-2008-5664 2008-06-25
Fedora FEDORA-2008-5649 2008-06-25
SuSE SUSE-SR:2008:017 2008-08-29

Comments (none posted)

sblim: arbitrary code execution

Package(s):sblim CVE #(s):CVE-2008-1951
Created:June 24, 2008 Updated:June 25, 2008
Description: From the Red Hat advisory: It was discovered that certain sblim libraries had an RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. This RPATH pointed to a sub-directory of a world-writable, temporary directory. A local user could create a file with the same name as a library required by sblim (such as libc.so) and place it in the directory defined in the RPATH. This file could then execute arbitrary code with the privileges of the user running an application that used sblim (eg tog-pegasus).
Alerts:
CentOS CESA-2008:0497 2008-06-24
Red Hat RHSA-2008:0497-01 2008-06-24

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds