Hi!

Just stumbled upon this issue:

<html>
<head>
<title>csrf via eot</title>

<!-- via LINK tag -->
<link rel="fontdef" src="http://what.ever.you.want">

<!-- or via STYLE tag -->
<style type="text/css">
@font-face { font-family:Chianti XBd BT;
src:url(http://what.ever.you.want); }
</style>
</head>
<body>
csrf via eot
</body>
</html>

Using this proprietary code to embed fonts for IE you can create a CSRF vector because IE of course has to make a request to the given ressource - interesting should be the fact of filter evasion possible with this snippet. I tried to create an xss with that one but didn't manage it.

Greetings and happy new year,
.mario



Edited 1 time(s). Last edit at 12/25/2006 04:37AM by .mario.

Yup, that's true with any CSS definition or embedded content in general.

- RSnake
Gotta love it. http://ha.ckers.org

what has this to do with CSRF/session riding?

Not all browsers send cookies for link, img etc. tags. Do all IE behave the same way?
BTW, has someone a list about that browser behaviour?

kirke Wrote:
-------------------------------------------------------
> Not all browsers send cookies for link, img etc.
> tags.


Really? Which ones don't? From my experience they all do, and rightly so in my opinion.