URI scheme
Cross Site Redirection (CSR), Non-Persistent Script Injection and
Low Risk Information Disclosure.
Cross Site Script Redirection:
The "returnUrl" GET-request within ViewIssue.jspa is not sanitizing
user-input in a sufficient way allowing the Data URI scheme to be
used in an attack.
Proof of Concept URL:
ViewIssue.jspa?id=[VALID_ID]&watch=true&returnUrl=data:text/html,<script>alert(0)</script>
for either "www" or the following regular expression written in normal text:
Any letter from A to Z and/or a number from 0-9 + :// will make the link valid.
The output in the Home Page field is encoded with most likely htmlspecialchars(),
however before the patch it did not check if a user would create a link that
would send an unknowing user to either the data: or javascript URI scheme.
The only limits in the Home Page field are:
- 90 character limit
- Characters will be converted to html entities.
- We can only use the data or javascript URI scheme.
Didn't really work on my computer. The content of the address bar could be seen changing
continuously between swiecki.net and google.com, probably in a way similar to what happens with Safari.
> The second one is based on the http URI scheme which allows embedding
> user/password parameters into it, i.e. http://user:password@domain.com.
> Such parameters can contain whitespaces, so the attack vector is quite
> obvious.
> http://alt.swiecki.net/konq3.html
>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jonathan Smith wrote:
> Robert Swiecki wrote:
> > The second one is based on the http URI scheme which allows embedding
>> user/password parameters into it, i.e. http://user:password@domain.com.
>> Such parameters can contain whitespaces, so the attack vector is quite
>> obvious.
>
>> http://alt.swiecki.net/konq3.html
logs into the MCP, he is also logged into the ACP, allowing the same
exploit as last time
(remote PHP code injection via the hooks system).
If you Base64-encode your attack vector using
the data: URI scheme, the XSS survives the login request and activates after
the admin/moderator is logged in. A simple example of the above:
http://localhost/vB3/modcp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
In this case (as per the last case as well), you have an unlimited and
malformed XML comments (CVE-2011-1157).
Cross-site scripting (XSS) vulnerability in feedparser.py in Universal
Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1
allows remote attackers to inject arbitrary web script or HTML
via an unexpected URI scheme, as demonstrated by a javascript: URI
(CVE-2011-1158).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
http://localhost/vB3/admincp/index.php?redirect={XSS}
Yes, here goes the obscure. What is even better is that the exploit will
work outright if the admin is already logged in; if the admin is not, they
will be required to log in. If you Base64-encode your attack vector using
the data: URI scheme, the XSS survives the login request and activates after
the admin is logged in. A simple example of the above:
http://localhost/vB3/admincp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
Now to address the quote "potential for exposure and damage is limited".
Justin Dolske discovered a flaw in the password saving mechanism. By
tricking a user into opening a malicious web page, an attacker could
corrupt the user's stored passwords. (CVE-2008-0417)
Gerry Eisenhaur discovered that the chrome URI scheme did not properly
guard against directory traversal. Under certain circumstances, an
attacker may be able to load files or steal session data. Ubuntu is
not vulnerable in the default installation. (CVE-2008-0418)
David Bloom discovered flaws in the way images are treated by the
logs into the MCP, he is also logged into the ACP, allowing the same
exploit as last time
(remote PHP code injection via the hooks system).
If you Base64-encode your attack vector using
the data: URI scheme, the XSS survives the login request and activates after
the admin/moderator is logged in. A simple example of the above:
http://localhost/vB3/modcp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
In this case (as per the last case as well), you have an unlimited and
Subject: Re: Re: Re: Re: Re: Opera 9.6x file:// overflow
Sent: Nov 19, 2008 5:59 PM
Hi Peter,
Apropos File URI scheme, if you are saying about accessing a file with something like file://abcd... in a link, 'over a network', then most of the browsers (perhaps all) do not follow "file:" links on a page that is fetched with "HTTP". The purpose is "security" or to prevent a remote page from executing a program on the visitor's computer.
The file: links work on pages that are local files on the user's disk! Though in some browsers these settings can be changed. That is why the Opera exploit through file://abcd.... does not work on network.
Hope it answers your query!
Hi Peter,
Apropos File URI scheme, if you are saying about accessing a file with something like file://abcd... in a link, 'over a network', then most of the browsers (perhaps all) do not follow "file:" links on a page that is fetched with "HTTP". The purpose is "security" or to prevent a remote page from executing a program on the visitor's computer.
The file: links work on pages that are local files on the user's disk! Though in some browsers these settings can be changed. That is why the Opera exploit through file://abcd.... does not work on network.
Hope it answers your query!
--
Thanks & Regards,
which might allow the execution of arbitrary code.
CVE-2009-1306
Daniel Veditz discovered that the Content-Disposition: header is ignored
within the jar: URI scheme.
CVE-2009-1307
Gregory Fleischer discovered that the same-origin policy for Flash files
is inproperly enforced for files loaded through the view-source scheme,
Because of this it is not possible to just write PHP code into a
file and execute it.
There is however a lesser known and nearly never used feature of PHP5
that allows exploiting this situation. By using the PHP5 filter
stream wrapper through the php://filter URI scheme it is possible to
write arbitrary files to the server. By crafting a configuration
filename like
php://filter/write=convert.base64-decode/resource=/var/www/x.php it
is possible to channel all writes to the file through a base64
decoder. Because PHP does ignore invalid characters during base64
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2398 ) it's a lot harder to
conduct a successful attack - URL address bat content changes so
frequently so the attack is revealed to the user (variants of attack are
currently under investigation).
The second one is based on the http URI scheme which allows embedding
user/password parameters into it, i.e. http://user:password@domain.com.
Such parameters can contain whitespaces, so the attack vector is quite
obvious.
http://alt.swiecki.net/konq3.html
Various flaws were discovered in the JavaScript engine. By tricking
a user into opening a malicious message, an attacker could escalate
privileges within Thunderbird, perform cross-site scripting attacks
and/or execute arbitrary code with the user's privileges. (CVE-2008-0415)
Gerry Eisenhaur discovered that the chrome URI scheme did not properly
guard against directory traversal. Under certain circumstances, an
attacker may be able to load files or steal session data. Ubuntu is not
vulnerable in the default installation. (CVE-2008-0418)
Flaws were discovered in the BMP decoder. By tricking a user into
Various flaws were discovered in the JavaScript engine. By tricking
a user into opening a malicious message, an attacker could escalate
privileges within Thunderbird, perform cross-site scripting attacks
and/or execute arbitrary code with the user's privileges. (CVE-2008-0415)
Gerry Eisenhaur discovered that the chrome URI scheme did not properly
guard against directory traversal. Under certain circumstances, an
attacker may be able to load files or steal session data. Ubuntu is not
vulnerable in the default installation. (CVE-2008-0418)
Flaws were discovered in the BMP decoder. By tricking a user into
_______________________________________________________________________
Problem Description:
konqueror/konq_combo.cc in Konqueror 3.5.7 allows remote attackers
to spoof the data: URI scheme in the address bar via a long URI with
trailing whitespace, which prevents the beginning of the URI from
being displayed. (CVE-2007-3820)
KDE Konqueror 3.5.7 allows remote attackers to spoof the URL address
bar by calling setInterval with a small interval and changing the
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Robert Swiecki wrote:
> The second one is based on the http URI scheme which allows embedding
> user/password parameters into it, i.e. http://user:password@domain.com.
> Such parameters can contain whitespaces, so the attack vector is quite
> obvious.
>
> http://alt.swiecki.net/konq3.html
|
