Next Page >>
browser
---[ Vulnerability description ]
Positive Research Center has discovered multiple XSS vulnerabilties in Kayako Support Suite.
Application insufficiently verifies subscriberdata incoming parameter in /staff/index.php?_m=news&_a=importexport script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
To use the vulnerability an attacker should convince a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9
Application insufficiently verifies subject incoming parameter in /staff/index.php?_m=news&_a=insertnews script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attacker should trick a user with "staff" privileges to open URL like:
Just a few cents - DoS in webbrowsers doesn't fall under the category of
"vulnerabilities" rather more of "annoyances". Although I don't deny the
fact that certain DoS attacks *may lead* or *may serve as hints* to other
more serious exploits, but that's a different topic and with ASLR in the
scene, a very grey area of discussion.
Case in point: XSS can be of various kinds and most of them (I'm talking of
about 99.99%) can be attributed to the design of the web
technologies/protocols specifications (http, ajax, etc etc...you name it)
and the browsers can only do that much. Hence its not feasible for a
particular case.
Taking into account that 3 from 4 vendors answered me (except Microsoft) and
Google had already non affected Chrome 4, and Mozilla and Opera promised to
fix it (we'll see when and how they do it), then you can see that my
approach works. And responsible full disclosure can force browser vendors to
attend more at security of their software.
Soon I'll write to security mailing lists about new vulnerabilities in
different browsers. And you can not worry about that - in those advisories
I'll use a littler different approach of informing browser vendors. You will
The following PoC code is available:
http://[host]/contract_add_service.php?contractid=1%20union%20%28select%20min%28@a:=1%29from%20%28select%201%20union%20select%202%29k%20group%20by%20%28select%20concat%28@@version,0x0,@a:=%28@a%2B1%29%2%29%29%29%20+--+
3) Input passed via the "mode" GET parameter to contact_support.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
http://[host]/contact_support.php?mode=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
1) Input passed to the "clientid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/campaign-zone.php",
"www/admin/advertiser-campaigns.php", "www/admin/campaign-
banners.php", and "www/admin/banner-activate.php" is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
the context of an affected site.
2) Input passed to the "orderdirection" and "listorder" parameters in
"www/admin/userlog-index.php" and "www/admin/stats.php" is not
properly sanitised before being returned to the user. This can be
#
#This code has been released Only for educational purposes. The author
cannot be held responsible for any bad use.
# Usage:
# 1) perl fortiGuard.pl
# 2) Configure your browser's proxy at localhost:5050
# 3) Have fun.
# --- Start Of Script---
use strict;
=============================================================
Android Browser Cross-Application Scripting (CVE-2011-2357)
=============================================================
1) Background
--------------
Android applications are executed in a sandbox environment, to ensure that no
application can access sensitive information held by another, without adequate
privileges. For example, Android's browser application holds sensitive
information such as cookies, cache and history, and this cannot be accessed by
to contacts?
MustLive wrote:
> Hello Susan!
>
>> Granted I can denial of service a browser just by loading up a horrible
>> add in or just using a browser
>
> DoS of the browser is already bad thing. And there are many risks for
> users
> from DoS holes in browsers, which I wrote about in 2008 in my articles
Hello Susan!
> Granted I can denial of service a browser just by loading up a horrible
> add in or just using a browser
DoS of the browser is already bad thing. And there are many risks for users
from DoS holes in browsers, which I wrote about in 2008 in my articles
Dangers of DoS attacks on browsers and Dangers of resources consumption DoS
attacks. But mostly browser developers ignore to fix these issues.
CVE Name: CVE-2009-1140
3. *Vulnerability Description*
Internet Explorer (IE) is the most widely used Web browser, with an
estimated count of 1,100 million users according to a worldwide survey
conducted and published in 2008 [1]. This advisory describes a
vulnerability that provides access to the contents of any file stored in
the local filesystem of user's machines running vulnerable versions of IE.
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in osCmax, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.
1) Multiple Cross-Site Scripting (XSS) in osCmax: CVE-2012-1664
1.1 Input passed via the "username" POST parameter to /admin/login.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
<form action="http://[host]/admin/login.php?action=process" method="post" name="main" id="main">
Bil,
> > If the browser displayed the file
> > and the user takes no precautions, the file should
> > be in the browser's cache.
>
> Yngve Pettersen of Opera is working on a proposed
> browser specification for "Context Cache" that
> would allow cached items to expire/be discarded
> immediately upon logging out:
to give additional explanations. Also I'll point on some important things
for all readers of the list.
First of all, readers of both Bugtraq and Full-disclosure must understand,
that if you had no questions to my first advisory (from this series of
advisories (I posted three already) of vulnerabilities in browsers,
which belong to group of DoS via protocol handlers), then there must be no
questions for next advisories. Otherwise it'll be double standards (not
moaning on 1st advisory and moaning on 2nd and 3rd ones) and as I already
wrote to the lists, double standards are bad and better to not use them.
handling of multipart/x-mixed-replace images. Although no exploit was
shown, re-use of freed memory has led to exploitable vulnerabilities
in the past (CVE-2010-0164).
Mozilla developers identified and fixed several stability bugs in the
browser engine used in Firefox and other Mozilla-based products. Some
of these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some
of these could be exploited to run arbitrary code (CVE-2010-0165,
CVE-2010-0167).
handling of multipart/x-mixed-replace images. Although no exploit was
shown, re-use of freed memory has led to exploitable vulnerabilities
in the past (CVE-2010-0164).
Mozilla developers identified and fixed several stability bugs in the
browser engine used in Firefox and other Mozilla-based products. Some
of these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some
of these could be exploited to run arbitrary code (CVE-2010-0165,
CVE-2010-0167).
====================================================
Security Research Advisory
Vulnerability name: Nokia Browser Array Sort Denial Of Service Vulnerability
Advisory number: LC-2008-04
Advisory URL: http://www.ikkisoft.com
====================================================
1) Affected Software
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.04:
abrowser 3.6.7+build2+nobinonly-0ubuntu0.9.04.1
firefox-3.0 3.6.7+build2+nobinonly-0ubuntu0.9.04.1
xulrunner-1.9.2 1.9.2.7+build2+nobinonly-0ubuntu0.9.04.2
Ubuntu 9.10:
firefox-3.5 3.6.7+build2+nobinonly-0ubuntu0.9.10.1
~~~~~~~~~~~~~~~~~~~
- Internet Explorer 5, 6, 7, 8 (all versions)
- Chrome (limited)
- Opera
- Seamonkey
- Midbrowser
- Netscape 6 & 8 (9 years ago)
- Konqueror (all versions)
- Apple iPhone + iPod
- Apple Safari
- Thunderbird
From your paper:
>>It is noteworthy that it has taken 19 months since the initial general
availability of IE7 (public release October 2006) to reach 52.5%
proliferation amongst users that navigate the Internet with Microsoft's
Web browser. Meanwhile, 92.2% of Firefox users have migrated to FF2.
Could this be due to the fact that Mozilla stops supporting, and issuing
updates for old versions just a few months after the release of a new
one?
> From your paper:
>
>>>It is noteworthy that it has taken 19 months since the initial general
> availability of IE7 (public release October 2006) to reach 52.5%
> proliferation amongst users that navigate the Internet with Microsoft's
> Web browser. Meanwhile, 92.2% of Firefox users have migrated to FF2.
>
> Could this be due to the fact that Mozilla stops supporting, and issuing
> updates for old versions just a few months after the release of a new
> one?
The Cisco Clientless VPN solution as deployed by Cisco ASA 5500
Series Adaptive Security Appliances (Cisco ASA) uses an ActiveX
control on client systems to perform port forwarding operations.
Microsoft Windows-based systems that are running Internet Explorer or
another browser that supports Microsoft ActiveX technology may be
affected if the system has ever connected to a device that is running
the Cisco Clientless VPN solution. A remote, unauthenticated attacker
who could convince a user to connect to a malicious web page could
exploit this issue to execute arbitrary code on the affected machine
with the privileges of the web browser.
used for downloading a file which already exists in the downloads
folder is predictable. If an attacker had local access to a victim's
computer and knew the name of a file the victim intended to open
through the Download Manager, he could use this vulnerability to
place a malicious file in the world-writable directory used to save
temporary downloaded files and cause the browser to choose the
incorrect file when opening it. Since this attack requires local
access to the victim's machine, the severity of this vulnerability
was determined to be low (CVE-2009-3274).
Security researcher Paul Stone reported that a user's form history,
class of web exploits originally coined cross-protocol scripting, but now more
commonly referred to as inter-protocol exploitation.
Goatse Security has a double feature for you, starting with a 0day vuln:
* Safari (and other webkit-based)browser port blocking bypassed by integer overflow
and a technique that, as far as I know, has not been premiered before:
* XHR (XMLHttpRequest) as a vector for mail merging or wordlist attacks in
XPS/IPE attacks
used for downloading a file which already exists in the downloads
folder is predictable. If an attacker had local access to a victim's
computer and knew the name of a file the victim intended to open
through the Download Manager, he could use this vulnerability to
place a malicious file in the world-writable directory used to save
temporary downloaded files and cause the browser to choose the
incorrect file when opening it. Since this attack requires local
access to the victim's machine, the severity of this vulnerability
was determined to be low (CVE-2009-3274).
Security researcher Paul Stone reported that a user's form history,
Hi Bil,
> > My motivation for deleting the file retrieval
> > session record was that the extended hostname is
> > recorded in the browser history. So if the user
> > neglects to log out, and is using a laptop, and
> > the laptop is stolen (even if turned off), the
> > thief can access the file from the history until
> > the login session times out.
>
http://www.security-assessment.com/files/advisories/20
08-10-22_Opera_Stored_Cross_Site_Scripting.pdf
== Issue Details ==
Opera browser is vulnerable to stored Cross Site
Scripting. A malicious attacker is able to inject
arbitrary browser content through the
websites visited with the Opera browser. The code
injection is rendered into the Opera History Search
page which displays URL and a short
Hi List,
For the last 18 month we analyzed the daily USER-AGENT data collected by
Google's Web search and application servers around the world to study how users
patch and update their Web browsers.
We came out that approximately 637 million (or 45.2 percent) users currently
surf the Web on a daily basis with an out-of-date browser – i.e. not running a
current, fully patched Web browser version.
A reply from Robert Hensing at Microsoft
(http://blogs.technet.com/robert_hensing/archive/2008/07/01/vulnerable-w
eb-browser-study-full-of-fail.aspx) says that your study did not include
minor version information for Internet Explorer, probably because such
information is not reported in the user-agent string. But fully-patched
copies of IE5 and IE6 are not insecure in the same way as an unsupported
version; Microsoft is still supporting them.
So is it true that your study calls anyone running IE7 secure, and
anyone running IE5 or IE6 insecure, regardless of their patch levels?
user-assisted execution of arbitrary code.
Background
==========
Mozilla Firefox is an open-source web browser and Mozilla Thunderbird
an open-source email client, both from the Mozilla Project. The
SeaMonkey project is a community effort to deliver production-quality
releases of code derived from the application formerly known as the
'Mozilla Application Suite'. XULRunner is a Mozilla runtime package
that can be used to bootstrap XUL+XPCOM applications like Firefox and
* Impact : Low
* Short description
Opera is vulnerable to a remote DoS attack, using spacially crafted BMP
files, that causes the browser to freeze for a short amount of time
(around 4 minutes on fast computer). An attacker could create a web
page that contains multiple BMP files displayed by an <img> tag. This
would freeze the browser for N*4 minutes, where N is the number of
images (so 100 images, the browser freezez for almost 7 hours). When
frozen, the browser consumes 100% CPU power.
Next Page>>
|
