The link can not
be traversed properly in status address bar.This could facilitate the
impersonation of
legitimate web sites in order to steal sensitive information from
unsuspecting users. The
URI specified with @ character with or without NULL character causes the
vulnerability.
Proof of Concept:
http://www.secniche.org/gcuri/index.html <http://www.secniche.org/gcuri>
http://evilfingers.com/advisory/index.php
necessary changes.
Details follow:
Kojima Hajime discovered that Firefox did not properly handle an escaped null
character. An attacker may be able to exploit this flaw to bypass script
sanitization. (CVE-2008-5510)
Wladimir Palant discovered that Firefox did not restrict access to cookies in
HTTP response headers. If a user were tricked into opening a malicious web
page, a remote attacker could view sensitive information. (CVE-2009-0357)
Chip Salzenberg, Justin Schuh, Tom Cross, and Peter William discovered Firefox
did not properly parse URLs when processing certain control characters.
(CVE-2008-5508)
Kojima Hajime discovered that Firefox did not properly handle an escaped null
character. An attacker may be able to exploit this flaw to bypass script
sanitization. (CVE-2008-5510)
Several flaws were discovered in the Javascript engine. If a user were tricked
into opening a malicious website, an attacker could exploit this to execute
arbitrary Javascript code within the context of another website or with chrome
This code is platform dependent bug, you can read more at
http://seclists.org/fulldisclosure/2010/Jul/137
Only works in windows systems, an attacker can include local file using
../ characters due parameter id is not filtered
If magic_quotes_gpc is Off, arbitrary files can be included, like
boot.ini using NULL character (%00), if not, only php files are allowed
5.4 - Path traversal & Arbitrary write and delete files - CVE-2010-4282
- - CVSS 8.0/10
Chip Salzenberg, Justin Schuh, Tom Cross, and Peter William discovered
Thunderbird did not properly parse URLs when processing certain control
characters. (CVE-2008-5508)
Kojima Hajime discovered that Thunderbird did not properly handle an escaped
null character. An attacker may be able to exploit this flaw to bypass script
sanitization. (CVE-2008-5510)
Several flaws were discovered in the Javascript engine. If a user were tricked
into opening a malicious website and had Javascript enabled, an attacker could
exploit this to execute arbitrary Javascript code within the context of another
it makes contact with the Deployment server and sends a
notification packet to alert the server that the client machine
is available.
This packet is an ASCII based packet with a terminating NULL
character.
At least two of the strings contained in this packet can be used
to inject arbitrary SQL syntax into a SQL call, resulting in
SQL injection.
1671 | $data[ $k ] = $v;
1672 | }
1673 | }
1674 | }
As we can see the function removes null characters and "../" sequences
from
incoming data to prevent unwanted file inclusion.
The next function that affects the input is:
Chip Salzenberg, Justin Schuh, Tom Cross, and Peter William discovered Firefox
did not properly parse URLs when processing certain control characters.
(CVE-2008-5508)
Kojima Hajime discovered that Firefox did not properly handle an escaped null
character. An attacker may be able to exploit this flaw to bypass script
sanitization. (CVE-2008-5510)
Several flaws were discovered in the Javascript engine. If a user were tricked
into opening a malicious website, an attacker could exploit this to execute
arbitrary Javascript code within the context of another website or with chrome
parenthesizes (it is
required for substr function and there are no substitute solution).
For bypassing this check, I consider MySQL and PHP together. The PHP
functions will consider
all strings JUST untill first null character. Also MySQL support
comment syntax
like /* the comment */ and before executing any SQL query, these
comments will be removed
from the query by MySQL.
Thus I place a null character within MySQL comment right after each
echo fread($fp, $flen);
fclose($fp);
[as developer comments out] When magic_quotes_gpc is disabled, its
possible to bypass extension check via null character injection
( because of null terminating behavior in any function that uses
fopen_wrappers ) which could result in source code disclosure!
POC :
http://localhost/modx-0.9.6.1/assets/js/htcmime.php?file=../../manager/includes/config.inc.php%00.htc
