<< Previous Next >>
browsers
class of web exploits originally coined cross-protocol scripting, but now more
commonly referred to as inter-protocol exploitation.
Goatse Security has a double feature for you, starting with a 0day vuln:
* Safari (and other webkit-based)browser port blocking bypassed by integer overflow
and a technique that, as far as I know, has not been premiered before:
* XHR (XMLHttpRequest) as a vector for mail merging or wordlist attacks in
XPS/IPE attacks
handling of multipart/x-mixed-replace images. Although no exploit was
shown, re-use of freed memory has led to exploitable vulnerabilities
in the past (CVE-2010-0164).
Mozilla developers identified and fixed several stability bugs in the
browser engine used in Firefox and other Mozilla-based products. Some
of these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some
of these could be exploited to run arbitrary code (CVE-2010-0165,
CVE-2010-0167).
From your paper:
>>It is noteworthy that it has taken 19 months since the initial general
availability of IE7 (public release October 2006) to reach 52.5%
proliferation amongst users that navigate the Internet with Microsoft's
Web browser. Meanwhile, 92.2% of Firefox users have migrated to FF2.
Could this be due to the fact that Mozilla stops supporting, and issuing
updates for old versions just a few months after the release of a new
one?
> From your paper:
>
>>>It is noteworthy that it has taken 19 months since the initial general
> availability of IE7 (public release October 2006) to reach 52.5%
> proliferation amongst users that navigate the Internet with Microsoft's
> Web browser. Meanwhile, 92.2% of Firefox users have migrated to FF2.
>
> Could this be due to the fact that Mozilla stops supporting, and issuing
> updates for old versions just a few months after the release of a new
> one?
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.04:
abrowser 3.6.7+build2+nobinonly-0ubuntu0.9.04.1
firefox-3.0 3.6.7+build2+nobinonly-0ubuntu0.9.04.1
xulrunner-1.9.2 1.9.2.7+build2+nobinonly-0ubuntu0.9.04.2
Ubuntu 9.10:
firefox-3.5 3.6.7+build2+nobinonly-0ubuntu0.9.10.1
Hello Bugtraq!
I want to warn you about security vulnerability in different browsers.
-----------------------------
Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera
and other browsers
-----------------------------
URL: http://websecurity.com.ua/4206/
-----------------------------
~~~~~~~~~~~~~~~~~~~
- Internet Explorer 5, 6, 7, 8 (all versions)
- Chrome (limited)
- Opera
- Seamonkey
- Midbrowser
- Netscape 6 & 8 (9 years ago)
- Konqueror (all versions)
- Apple iPhone + iPod
- Apple Safari
- Thunderbird
Hello Bugtraq!
I want to warn you about security vulnerabilities in different browsers.
With this advisory I'm continue my series of vulnerabilities in browsers,
which belong to group of DoS via protocol handlers.
-----------------------------
Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and
Opera
-----------------------------
Hi List,
For the last 18 month we analyzed the daily USER-AGENT data collected by
Google's Web search and application servers around the world to study how users
patch and update their Web browsers.
We came out that approximately 637 million (or 45.2 percent) users currently
surf the Web on a daily basis with an out-of-date browser – i.e. not running a
current, fully patched Web browser version.
A reply from Robert Hensing at Microsoft
(http://blogs.technet.com/robert_hensing/archive/2008/07/01/vulnerable-w
eb-browser-study-full-of-fail.aspx) says that your study did not include
minor version information for Internet Explorer, probably because such
information is not reported in the user-agent string. But fully-patched
copies of IE5 and IE6 are not insecure in the same way as an unsupported
version; Microsoft is still supporting them.
So is it true that your study calls anyone running IE7 secure, and
anyone running IE5 or IE6 insecure, regardless of their patch levels?
The Cisco Clientless VPN solution as deployed by Cisco ASA 5500
Series Adaptive Security Appliances (Cisco ASA) uses an ActiveX
control on client systems to perform port forwarding operations.
Microsoft Windows-based systems that are running Internet Explorer or
another browser that supports Microsoft ActiveX technology may be
affected if the system has ever connected to a device that is running
the Cisco Clientless VPN solution. A remote, unauthenticated attacker
who could convince a user to connect to a malicious web page could
exploit this issue to execute arbitrary code on the affected machine
with the privileges of the web browser.
Hello Bugtraq!
I want to warn you about security vulnerability in different browsers.
-----------------------------
Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and
Opera
-----------------------------
URL: http://websecurity.com.ua/4238/
-----------------------------
even happier.
MustLive wrote:
> Hello Bugtraq!
>
> I want to warn you about security vulnerability in different browsers.
>
> -----------------------------
> Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and
> Opera
> -----------------------------
cross site scripting attack.This flaw exists because
the application does not validate In the URI dialog
'sortby' 'tags' and 'ctx' variables upon submision to
'index.html' script. This could allow a user to create
a specially crafted URL that would execute arbitrary
code in a user's browser within the trust relationship
between the browser and the server,leading loss of integrity.
This issue can be dangerous , because if you are running
Wowd client , you have all of this vulnerabilities because
this issue can be exploited accross all browsers,
also must know about it :-).
My idea was to made blocking DoS attack on Chrome (first exploit was
blocking DoS, second was blocking DoS and DoS via resources consumption).
Which I wrote about last year in my Classification of DoS vulnerabilities in
browsers (http://websecurity.com.ua/2550/). In 2008 I wrote about many
blocking DoS vulnerabilities in browsers, and this year I continued to write
about such holes, and after this one I'd write about another one soon (which
I found last year). Like these DoS vulnerabilities in Firefox, IE, Chrome
and Opera (http://websecurity.com.ua/3194/). Or like DoS vulnerability in
Internet Explorer 7 (http://websecurity.com.ua/2872/), which is similar to
used for downloading a file which already exists in the downloads
folder is predictable. If an attacker had local access to a victim's
computer and knew the name of a file the victim intended to open
through the Download Manager, he could use this vulnerability to
place a malicious file in the world-writable directory used to save
temporary downloaded files and cause the browser to choose the
incorrect file when opening it. Since this attack requires local
access to the victim's machine, the severity of this vulnerability
was determined to be low (CVE-2009-3274).
Security researcher Paul Stone reported that a user's form history,
http://www.security-assessment.com/files/advisories/20
08-10-22_Opera_Stored_Cross_Site_Scripting.pdf
== Issue Details ==
Opera browser is vulnerable to stored Cross Site
Scripting. A malicious attacker is able to inject
arbitrary browser content through the
websites visited with the Opera browser. The code
injection is rendered into the Opera History Search
page which displays URL and a short
Hi Bil,
> > My motivation for deleting the file retrieval
> > session record was that the extended hostname is
> > recorded in the browser history. So if the user
> > neglects to log out, and is using a laptop, and
> > the laptop is stolen (even if turned off), the
> > thief can access the file from the history until
> > the login session times out.
>
used for downloading a file which already exists in the downloads
folder is predictable. If an attacker had local access to a victim's
computer and knew the name of a file the victim intended to open
through the Download Manager, he could use this vulnerability to
place a malicious file in the world-writable directory used to save
temporary downloaded files and cause the browser to choose the
incorrect file when opening it. Since this attack requires local
access to the victim's machine, the severity of this vulnerability
was determined to be low (CVE-2009-3274).
Security researcher Paul Stone reported that a user's form history,
user-assisted execution of arbitrary code.
Background
==========
Mozilla Firefox is an open-source web browser and Mozilla Thunderbird
an open-source email client, both from the Mozilla Project. The
SeaMonkey project is a community effort to deliver production-quality
releases of code derived from the application formerly known as the
'Mozilla Application Suite'. XULRunner is a Mozilla runtime package
that can be used to bootstrap XUL+XPCOM applications like Firefox and
* Impact : Low
* Short description
Opera is vulnerable to a remote DoS attack, using spacially crafted BMP
files, that causes the browser to freeze for a short amount of time
(around 4 minutes on fast computer). An attacker could create a web
page that contains multiple BMP files displayed by an <img> tag. This
would freeze the browser for N*4 minutes, where N is the number of
images (so 100 images, the browser freezez for almost 7 hours). When
frozen, the browser consumes 100% CPU power.
Ubuntu 8.04 LTS:
firefox-3.0 3.6.9+build1+nobinonly-0ubuntu0.8.04.1
xulrunner-1.9.2 1.9.2.9+build1+nobinonly-0ubuntu0.8.04.1
Ubuntu 9.04:
abrowser 3.6.9+build1+nobinonly-0ubuntu0.9.04.1
firefox-3.0 3.6.9+build1+nobinonly-0ubuntu0.9.04.1
xulrunner-1.9.2 1.9.2.9+build1+nobinonly-0ubuntu0.9.04.1
Ubuntu 9.10:
firefox-3.5 3.6.9+build1+nobinonly-0ubuntu0.9.10.2
Ubuntu 8.04 LTS:
firefox-3.0 3.6.10+build1+nobinonly-0ubuntu0.8.04.1
xulrunner-1.9.2 1.9.2.10+build1+nobinonly-0ubuntu0.8.04.1
Ubuntu 9.04:
abrowser 3.6.10+build1+nobinonly-0ubuntu0.9.04.1
firefox-3.0 3.6.10+build1+nobinonly-0ubuntu0.9.04.1
xulrunner-1.9.2 1.9.2.10+build1+nobinonly-0ubuntu0.9.04.1
Ubuntu 9.10:
firefox-3.5 3.6.10+build1+nobinonly-0ubuntu0.9.10.1
pre-deployed, the client software is installed and run like any other
application.
When the Cisco AnyConnect Secure Mobility Client is deployed from the
VPN headend, an SSL connection is initiated to the VPN headend using
a web browser. After the user logs in, the browser displays a portal
window and when the user clicks the "Start AnyConnect" link, the
process of downloading the Cisco AnyConnect Secure Mobility Client
begins. This action causes the browser to first download a "helper"
application that aids in downloading and executing the actual Cisco
AnyConnect Secure Mobility Client. The helper application is a Java
1 Background
============
Android applications are executed in a sandbox environment, to ensure that no
application can access sensitive information held by another, without adequate
privileges. For example, the Dolphin browser application holds sensitive
information such as cookies, cache and history, and this cannot be accessed
by third-party apps. An android app may request specific privileges during
its installation; if granted by the user, the app's capabilities are extended.
Intents are used by Android apps for intercommunication. These objects can be
Vulnerability ID: HTB23059
Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_browser_crm.html
Product: Browser CRM
Vendor: BrowserCRM Limited ( http://www.browsercrm.com )
Vulnerable Version: 5.100.01 and probably prior
Tested Version: 5.100.01
Vendor Notification: 23 November 2011
Vulnerability Type: XSS, SQL Injection
Risk level: High
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
---[ Vulnerability description ]
Positive Research Center has discovered XSS in Kayako Support Suite.
Application insufficiently verifies incoming data in "Subject" parameter in LiveSupport module.
An attacker can use the vulnerability to inject and execute HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attack can be successful if administrator deletes a message created by user via Delete button of Options section of the message.
Application insufficiently verifies incoming data in "Full Name" and "Subject" parameters in Tickets module.
An attacker can use the vulnerability to inject and execute HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attack can be successful if administrator views task information via popup menu.
Hello Bugtraq!
I want to warn you about security vulnerabilities in email clients,
particularly in Outlook Express and Outlook. This advisory is concerned with
my series of advisories about vulnerabilities in browsers, which belong to
group of DoS via protocol handlers.
All those who doubt that these DoS vulnerabilities in browsers and email
clients are security vulnerabilities, must read my first advisory on this
topic (http://www.securityfocus.com/archive/1/511327/30/0/threaded). Where I
> The best way to defend against any Cross Site Scripting attacks is to
> sanitize all inputs and outputs properly on your website
XSS vulnerabilities must be fixed and when they are made at web sites, then
they must be fixed at web sites. But in this case browsers developers made
XSS holes (JavaScript execution) in redirectors, so they just from
Redirector vulnerability (which can be used for redirection to malicious
sites and some other attacks) also become XSS (JavaScript execution)
vulnerability. And there are a lot of redirectors (open ones) in Internet,
as refresh-header redirectors, as location-header redirectors. So these XSS
1. XSS 1
A HTTP GET request against the following URL will, on a web browser
with Javascript support, cause a dialog box saying '1' to be displayed:
http://CACTIHOST/graph.php?action=zoom&local_graph_id=1&graph_end=1%27%20style=visibility:hidden%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cx%20y=%27
This vulnerability is only exploitable if the victim is allowed to view
<<Previous Next>>
|
