XHTML 1.0
#=cicatriz <c1c4tr1z@voodoo-labs.org>=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~(advisories)=#
/) /) /)
_ _ _______(/ ________ // _ (/_ _ _____ _
(/__(_)(_)(_(_(_)(_) (/_(_(_/_) /_)_ o (_)/ (_(_/_
.-/
#=Amaya 11.1 XHTML Parser Buffer Overflow=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~(_/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Advisory & Vulnerability Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
Title: Amaya 11.1 XHTML Parser Buffer Overflow
Advisory ID: VUDO-2009-0104
Discovered by Martin Barbella <martybarbella@gmail.com>
Description of Vulnerability:
-----------------------------
Active Calendar is PHP Class, that generates calendars (year, month or
week view) as a HTML Table (XHTML-Valid). (From:
http://micronetwork.de/activecalendar/index.php)
In the functions enableYearNav, enableMonthNav, enableDayLinks, and
enableDatePicker of the activeCalendar class, certain variables are
assigned the value of $_SERVER['PHP_SELF'] when either no value is
if ($header != '') {
$content = '<h1>'.$header.'</h1>';
$content .= $text;
..
echo <<< EOT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
..
<div id="cpg_main_block">
$string
$content
-----------------[ source code end ]-----------------------------------
and now
cxib# curl http://localhost:82/narkotyk/phpcode.php
69755 <<< To: root@xxxxxxxxxxxxxxxxxx
69755 <<< Subject: h<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html><head>
<style type="text/css">
body {background-color: #ffffff; color: #000000;}
body, td, th, h1, h2 {font-family: sans-serif;}
... phpinfo().
Version: 1.4.0
Release date: Dec 11, 2007
Developed by the Web Technology Group at Appalachian State University,
phpWebSite provides a complete web site content management system ( CMS ).
All client output is XHTML 1.0 and meets the
W3C's Web Accessibility Initiative requirements.
--DISCUSSION---------------------------------
Affected : All Firefox versions that support SVG.
Then think about what version of Firefox you are using.
JP> If I understand the process, saving the text at [IV. Proof of
JP> concept] (following the "~~~..." to an .XHTML file, and launch the
JP> file using Firefox, I should lose functionality ("Browser doesn't
JP> respond any longer to any user input, all tabs are no longer
JP> accessible, your work if any (hail to the web 2.0) might be lost.")
JP> Using FF2.0.0.20 and the file does not result in loss of use. All
If I understand the process, saving the text at [IV. Proof of concept] (following the "~~~..." to an .XHTML file, and launch the file using Firefox, I should lose functionality ("Browser doesn't respond any longer to any user input, all tabs are no longer accessible, your work if any (hail to the web 2.0) might be lost.")
Using FF2.0.0.20 and the file does not result in loss of use. All tabs are functional. All JAVA links continue function. Same result for naming the POC file to .HTML, .HTM.
>>> Thierry Zoller <Thierry@Zoller.lu> 05/26/2009 13:13 >>>
For those that failed to reproduce, try naming the POC file with an XHTML
extension.
<!--
securitylab.ir
K4mr4n_st@yahoo.com
-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<script>
function load(){
var e;
--Wednesday, May 27, 2009, 7:56:56 PM, you wrote to cert@cert.org:
JP> If I understand the process, saving the text at [IV. Proof of
JP> concept] (following the "~~~..." to an .XHTML file, and launch the
JP> file using Firefox, I should lose functionality ("Browser doesn't
JP> respond any longer to any user input, all tabs are no longer
JP> accessible, your work if any (hail to the web 2.0) might be lost.")
JP> Using FF2.0.0.20 and the file does not result in loss of use.
ZDI-09-086: Microsoft Internet Explorer XHTML DOM Manipulation Memory Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-086
December 8, 2009
-- CVE ID:
CVE-2009-3671
-- Affected Vendors:
Microsoft
20100205 - Justanotherhacker.com : HuskiCMS local file inclusion
JAHx102 - http://www.justanotherhacker.com/advisories/JAHx102.txt
--------------------------------------------------------------------------------------------
HuskiCMS
huski CMS effectively places the control of the website back into the hands of you, the site owner. huski CMS is extremely user friendly and has been developed with the lowest denominator in IT knowledge in mind. huski CMS is still a very powerful and flexible system which ensures your site is using the latest technologies such as AJAX, XML, XHTML, and CSS
[ Taken from: http://www.huskicms.com ]
--- Vulnerability description ---
A conditional local file inclusion exists in the image resizing script size.php's i parameter.
ZDI-08-050: Microsoft Internet Explorer XHTML Rendering Memory Corruption
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-050
August 12, 2008
-- CVE ID:
CVE-2008-2257
-- Affected Vendors:
Microsoft
Amaya web editor/browser [1], which can be exploited by unauthorized
people using crafted web pages to compromise a user's system.
A boundary error when processing 'input' HTML tags can be exploited to
cause a stack-based buffer overflow via an overly long 'type' parameter
(Bugtraq ID 33046). Code analysis of the Amaya XHTML parser reveals
multiple unchecked buffers declared on the stack, one of which is used
in the function 'EndOfXmlAttributeValue()':
/-----------
For those that failed to reproduce, try naming the POC file with an XHTML
extension.
irrelevant
</xml>
There are a number of interesting XML-based formats you might want to
steal including authenticated RSS, XML-formatted AJAX-y responses, and
XHTML.
Full technical details: http://scary.beasts.org/security/CESA-2009-008.html
Blog post: http://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-also-fixes-cross-domain.html
(includes 1-click demo)
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page.
The specific flaw exists when processing, in XHTML strict mode, a CSS
stylesheet containing a specific combination of style directives one of
which must be a 'zoom'. The fault in processing results in a memory
corruption vulnerability which can be leveraged to execute arbitrary
code under the context of the current user.
|
