Next Page >>
HTML tags
There is a vulnerability in Internet Explorer which enables execution
of arbitrary code if the user visits a web page controlled by the
attacker. The vulnerability is caused by incorrectly validating
integer parameter passed to the 'add' method of the Select HTML
element. This vulnerability has been observed in Internet Explorer 8.
The vulnerability has been patched by Microsoft on October 11, 2011.
II. THE BUG
The bug is caused by incorrectly validating integer parameter passed
message will be visible in the title part of a remote user's ICQ chat
window, when a chat session is initiated.
When a user writes a message in the status manager, the text string is
processed with the boxelyRenderer module. The boxelyRenderer module has
a vulnerability in the HTML tags processing code. If malformed HTML tags
are set for the 'status message', boxelyRenderer will try to process the
HTML tags, and a UNICODE heap overflow will occur.
The 'status' string from a remote user is processed by boxelyRenderer
for each new chat session. If the remote user has a malicious 'status
Well, not quite. The idea of an XSS is that you can gain the privilege
to inject HTML code when you didn't have any.
HTML is not the same as textual content, for example - a blog that
lets you add comments to a blog post is not giving you the ability to
inject HTML tags, so if you manage to do that you've gained a
privilege you're not supposed to have.
Same goes for any other XSS - you always being by assuming you can't
inject HTML tags, and it's a vulnerability when you can. If you being
by assuming you can already insert HTML tags then there could be
Nssboard, formerly Simple PHP forum, is vulnerable to HTML injection including scripts (possible XSS) in two ways:
1. If BBcode is disabled, HTML tags are no longer stripped, allowing XSS attacks, etc.
2. Profile information (user, email, Real Name) is not filtered. For example a user could use something like "<script>alert(document.cookie)</script> " as a Real name and the script would execute everytime someone views that users profile or the members page.
However the number of characters allowed in Real name is limited so it's unlikely too much damage could be done.
If XSS is allowed, it could allow for Session Hijacking.
I found this bug using version 6.1 of NSSboard (the latest as of this writing), and it's likely that all earlier versions are also affected, but I didn't test them. I am using Debian Linux and lighttpd to host it.
So, if you find a way to execute your malicious javascript in the feed
subscription page, you can essentially execute native opera functions and
ultimately use it to control the Victim's Opera browser. It looks like
Opera's Team did think about the implications of putting untrusted user
content in this page and hence only permitted a certain whitelist of html
tags. In addition, for some html tags such as "A" and "IMG", it required a
certain precondition to be met. See the code snippets captured using Opera
inbuilt debugger DragonFly (you can also use Firebug lite).
Whitelisted HTML Tags Definition - Opera Feed Subscription Page (Source -
DragonFly)
Internet explorer resorts to mime sniffing when either the
Content-Type header and
the "magic" signature at the beginning contradict or when the
Content-Type header
is unknown. In that case, IE will try to establish the content type and can be
tricked into assuming text/html by placing certain HTML tags within the first
255 bytes of the file. Note that such files can be valid image files
despite their
HTML payload.
A frequent example for unknown content-types is "image/bmp", which is created by
PHP's (< 5.3.0) getimagesize API function[4].
More Details
============
To prevent the execution of JavaScript and VBScript code in HTML emails
and to remove unwanted HTML tags, the IceWarp WebMail Server filters HTML
emails with the function cleanHTML() that is defined in the PHP file
html/webmail/server/inc/tools.php
This filtering function can be circumvented in various ways, to still
+ Download: http://www.openit.it/index.php?option=com_jdownloads&Itemid=87&task=viewcategory&catid=3&lang=en
### VULNERABILITY DETAILS ###
+ Description: "title.php" gets "frame" parameter with sqgetGlobalVar function. sqgetGlobalVar function apply decodeHTML function to variable. This function decode HTML tags so its make a chance to succesfull exploitation with some browser (e.g. Mozilla Firefox encodes HTML tags). After that application include "frame" variable into inline javascript code.
+ Exploit/POC: http://www.anatoliasecurity.com/exploits/overlook-xss-poc.txt
Javascript-code, e.g. "><script>alert(1)</script>.
As this page cannot be viewed by the admin or other users, this only allows
quite unlikely attack scenarios, so the impact should be considered very low.
Vendor has released 1.7.1, which filters out HTML-tags and restricts the field
size to 10 chars. Filtering out HTML-tags alone does not help, as one can
still use JavaScript event handlers (e.g. onMouseOver), but 10 chars doesn't
allow any useful code to be injected. The proper solution would be escaping
the output including quotes. So this is fixed, but it's not a very clean
solution.
|EMAIL|<my_email>
|IP-ADDRESS|<my_ip_or_xss>
|MODERATIONFLAG|H
Now imagine that an attacker use the XSS vulnerability to post
php code and html tags which will make the admin sent an HTTP
request to exploit the LFI vuln. The XSS code will look's like
this:
<!--- <?php
$handle = fopen('./themes/back.php', 'w+');
SELECT.
D) Multiple Reflected and Stored XSS
All forms that allow HTML tags are vulnerable to stored
XSS. The reason is that there are no checks about
javascript tags. Many reflected XSS are allowed but it is
impossible use single/double quotes because of the escape.
1. XSS.
Vulnerable script: news_page.php
Parameters 'page_id' is not
properly sanitized before being used in HTML tags. http://target.com/news_page.php?page_id="><h1>XSS</h1>
--------------PoC/Exploit----------------------
Waiting for developer(s) reply.
--------------Solution---------------------
to bypass this checkpoint and provides the "location.search" as in the previous
vulnerable versions.
The version 2.1.11 is patched against this vulnerability.
The server side validation introduced in the second generation appears to be a black-list
based filter. All HTML tags tested were blocked by the filter. However the '<BGSOUND>' tag
has not been included in the black-list and it bypasses the server-side validation.
As reported by Rsnake in his XSS Cheat Sheet,'<BGSOUND>' tag is a valid attack vector in
certain versions of Opera.
The latest version (2.1.12) has not yet been tested for this vector. Since only Opera
This script sets the movie parameter value into $movie. The last 4
bytes are erased and an .xml extension is appended. Then, the file is
opened for reading with the call fopen($confFile,'r') and the first
1000 bytes are read from the file. Then the 1000 bytes are parsed and
used as the values for MovieWidth and MovieHeight HTML tags. Finally
the resulting HTML file is returned to the user by the webserver.
The vulnerable snippet of code is:
if(isset($_GET["movie"])) {
Multiple stack buffer overflow vulnerabilities have been discovered in
Amaya web editor/browser [1], which can be exploited by unauthorized
people using crafted web pages to compromise a user's system.
A boundary error when processing 'input' HTML tags can be exploited to
cause a stack-based buffer overflow via an overly long 'type' parameter
(Bugtraq ID 33046). Code analysis of the Amaya XHTML parser reveals
multiple unchecked buffers declared on the stack, one of which is used
in the function 'EndOfXmlAttributeValue()':
its seems that IBM Lotus Quickvr use a filter xss,an attacker can avoid this filter .
example of IBM Quickr 8.0 XSS filter:
http://victim.com/QuickPlace/main.nsf/h_Toc/2a922d48c75dd00b052567080016723a/?OpenDocument&Count='20"><script>alert('g')</script>
and then you will get a error message from Quickr:
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
IBM Quickr 8.0 calender XSS (Avoid weak XSS filter) POC:
http://victim.com/QuickPlace/main.nsf/h_Toc/2a922d48c75dd00b052567080016723a/?OpenDocument&Count='20"><iframe/%20/onload=alert(/XSSByNirG/)>
Credit:This flaw was discovered By Nir Goldshlager (Avnet)
Description
===========
Ulf Harnhammar, Secunia Research discovered that the "frame" and
"frameset" HTML tags are not properly filtered out. He also reported
that certain HTTP requests are executed without being checked.
Impact
======
1. XSS.
Vulnerable script: search.php
Parameters 'query' is not
properly sanitized before being used in HTML tags. http://target.com/search.php?query="><h1>XSS</h1>
--------------PoC/Exploit----------------------
Waiting for developer(s) reply.
--------------Solution---------------------
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within Internet Explorer that allows malicious
users to leak information about the memory layout of an Internet
Explorer process. When creating a new 'Option' HTML Element, the 'index'
field of the object is not set to zero and can be used to leak the
location of the global variable table. This can be used to defeat ASLR
or to remove the need for heap spraying while exploiting a remote code
execution flaw.
Product: Microsoft Excel 2007
OS: Windows XP
Hello
inform them that, I found a vulnerability in curiosity rather excel, it is that you can run Javascript code (XSS), it seems certain there html tags that excel those injected with these and other code can execute javascript, so this curious flaw is that following the execution of the xss excel breaks, discussing this with a debugger the result is as follows ..
Access violation when reading [00000034]
Well the procedure for conducting the test is fairly basic concept down here leave an address where the xss only have to select it and copy it to an Excel spreadsheet and may see vulnerability.
Html tags were removed from the advisory during the submission process. Hopefully the following advisory will correct this.
Title: RunCMS XSS Vulnerability via User Agent
Vendor: RunCMS
Product: RunCMS
Tested Version: 2.1
Threat Class: XSS
Severity: Medium
The Proofpoint Protection Server offers anti-spam and anti-virus,
connection management, email firewall and policy enforcement features.
A Cross-Site Scripting (XSS) vulnerability has been discovered in the
Proofpoint Protection Server where input is passed to the query string
of process.cgi. This has occurred as a result of the application not
properly filtering HTML tags which allows malicious JavaScript to be
embedded. When input is incorrectly validated and not properly sanitised
and then displayed in a web page, attackers can trick users into viewing
the web page and causing malicious code to be executed.
Proof of Concept.
(and its unreleased 2.4 branch), is vulnerable to two Cross Site
Scripting issues.
1. The comment posting mechanism of Silverstripe ('PostCommentForm')
fails to properly sanitize the 'CommenterURL' parameter. This allows for
persistent injection of HTML or javascript code within existing HTML tags.
2. The forum module is vulnerable to a reflective XSS issue caused by
the search script failing to properly sanitize input to the 'Search'
parameter. When invoking this URL:
SILVERSTRIPESITE/forums/search/?Search=%22%20onmouseover=%22javascript:alert%280%29;%22
details/pocs
———————————
1. Denial of Service vulnerability
Post Revolution allows some HTML tags in the comments and removes all
non-permitted.
The vulnerable code is in the lines 456 to 462 in common.php:
while(stripos($s,'<') > 0){
$pos[1] = stripos($s,'<');
===========
IV. Exploit
===========
The exploit is performed by replacing malicious_script with the relevant
javascript payload. An evasion for simple XSS signature protection (where
applicable), can allow executing the same script without using HTML tags, as
seen in the following sample:
http://[host]:[port]/wps/wcm/webinterface/login/login.jsp?"
style="tr:expression(malicious_script)
Html tags were removed from the advisory during the submission process. Hopefully the following advisory will correct this.
Title: MODx Installation File XSS Vulnerability
Vendor: MODx
Product: MODx CMF
Tested Versions: 1.0.3, 1.0.4
Threat Class: XSS
Severity: Medium
Remote: yes
vulnerable installations of Apple Webkit. User interaction is required
to exploit this vulnerability in that the target must visit a malicious
page or open a malicious file.
The specific flaw exists within the setOuterText method of the Webkit
htmlelement library. Due to a failure to properly track DOM
manipulations made within the browser, it is possible to make use of a
previously freed pointer and facilitate remote code execution under the
context of the user running the browser process.
-- Vendor Response:
http://192.168.1.1/cgi-bin/script?system%20whoami
Returns:
root
5. Using CSRF attack one could remotely own a router using for example simple <img> html tags pointing to http://192.168.1.1/...
6. The issue was tested on firmware: 66.34.1
7. The vendor was notified on 30.12.08, but we got no reasonable response till now (the bug remains unpatched).
XOOPS is a content management system written in PHP. During an application
penetration test Sense of Security identified that Input passed to the "op"
parameter of viewpmsg.php, and in the query string of user.php are
vulnerable to Cross-Site Scripting vulnerabilities. This occurred as a
result of the application not properly filtering HTML tags which allowed
malicious JavaScript to be embedded. When input is incorrectly validated and
not properly sanitised and then displayed in a web page, attackers can trick
users into viewing the web page and causing malicious code to be executed.
1. The attacker can inject malicious input from the FTP login console. As the authentication credentials are inappropriate the FTP authentication
module generates error and the requisite input is logged in to the web interface of the disk station.
2. Secondly the FTP logging module is not designed appropriately and the content comes from the FTP login console is directly placed into the log
window without verification of the Content-Type parameter. The content is allowed to be rendered as HTML, Script etc. An attacker can inject
malicious HTML tags, DOM calls, third part y scripts, CSRF calls that gets executed in the context of logged in account which is administering it.
3. Usually log mechanism is handled by the admin account. The chances of code execution and injection fulfillment are high within full privileges
as of administrator. So any code injected by the attacker becomes persistent in most of the cases and remain there for execution. Moreover CSRF
code with malicious calls can be executed without user interaction.
4. Attacker has to be well versed in directory structure of the disk station manager so that injections can be made according to that and further
operations can be performed. The FTP servers accept username string upto 80-100 characters which is good enough to craft injections to get the
Next Page>>
|
