Next Page >>
elements
#######################################################################
Vulnerability 1: Internet Explorer Select Element Remote Code Execution
#######################################################################
Original advisory:
http://ifsec.blogspot.com/2011/10/internet-explorer-select-element-remote.html
I. OVERVIEW
There is a vulnerability in Internet Explorer which enables execution
=======
A vulnerability exists in the Session Initiation Protocol (SIP)
implementation in Cisco IOS® Software that could allow an
unauthenticated attacker to cause a denial of service (DoS) condition
on an affected device when the Cisco Unified Border Element feature
is enabled.
Cisco has released free software updates that address this
vulnerability. For devices that must run SIP there are no
workarounds; however, mitigations are available to limit exposure of
----- /Query 2 ---------------------------------------------------------
Data is only returned from the database to the web application when both
queries are syntactically correct. Due to a different nesting level of
parentheses around the SQL queries' user-manipulable parts, successful
(non-blind) SQL injection requires the use of two elements within the
original HTTP POST request.
The following examples show the two queries that are executed when the
<sql> element contains the string "0=1) /* " and the <order_by> element
contains the string "*/)--". User input that is active within an SQL
Last Modified: 2009/09/18
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Horde Application Framework <= 3.2.4
Severity: PHP applications using the Horde_Form_Type_image form
element can be tricked into overwriting arbitrary files
writable by the webserver which might result in PHP
remote code execution
Risk: High
Vendor Status: Horde 3.2.5 was released which fixes this vulnerability
Reference: http://www.sektioneins.de/advisories/SE-2009-01.txt
Title:
------
* Marvell Driver Multiple Information Element Overflows
Summary:
--------
* The wireless drivers in some Wi-Fi access points (such as the
MARVELL-based Linksys WAP4400N) do not correctly parse information
elements included in association requests. Most information elements are
used by the wireless access point and clients to advertise their
- ---------------------
CVE-2010-3451:
OpenOffice.org uses its own internal memory management system for parsing
tables in RTF documents. Information about each table row is inserted, element
by element, into an SwTableBoxes object. These objects contain a fixed amount
of data, and when they have reached capacity, a resize() method is called to
double the space previously allocated for cell contents. When this method is
called, the new space will be allocated on top of recently freed memory
containing file data without clearing this memory. Because of a bug in the RTF
ZDI-11-140 (formerly ZDI-CAN-1026): Webkit Detached Body Element Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-140
April 19, 2011
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
2. Cross-site Scripting vulnerability in
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “amount”.
Attack details
URL encoded GET input amount was set to ” onmouseover=prompt(949088) bad=”
The input is reflected inside a tag element between double quotes.
Sample HTTP Request:
GET
/cubecart_4/modules/gateway/WorldPay/return.php?amount=%22%20onmouseover%3dprompt%28949088%29%20bad%3d%22&cartId=&email=&transId=&transStatus=
HTTP/1.1
CVE-2009-1690
Use-after-free vulnerability in WebKit, allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) by setting an unspecified property of an HTML tag that causes child
elements to be freed and later accessed when an HTML error occurs, related to
"recursion in certain DOM event handlers."
CVE-2009-1698
Title:
------
* Atheros Vendor Specific Information Element Overflow
Summary:
--------
* The wireless drivers in some Wi-Fi access points (such as the
ATHEROS-based Linksys WRT350N) do not correctly parse the Atheros vendor
specific information element included in association requests. This
information element is used by wireless devices to advertise Atheros
html/webmail/server/inc/rss/item.php
In the function getHTML(), the final HTML page for an item is assembled
and returned. The "title" and "description" keys correspond to the
<title> and <description> elements in the feed, the "href" key to the
<link> element:
------------------------------------------------------------------------
159 public function getHTML(&$aItem)
160 {
Title: Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities
0x01. Description:
Memory exhaustion of Firefox 3.6.3 (latest) <= makes firefox can't make texts into body element and then it crashed.
( raise exception using PoC #1, lower memory area read access violation using PoC #2 )
Ofcourse an variation PoC made NULL Pointer deref so may also could be code execution ( 0.1 % ). :-)
URL: http://www.x90c.org/advisories/firefox_3.6.3_crash_advisory.txt
vulnerable installations of Apple Safari's Webkit. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within Webkit's support for generated content.
When utilizing generated content on a particular element, the library
will insert more than one reference of the generated element element.
During page destruction the application will navigate through the
reference to discover more elements to destroy. This can lead to code
execution under the context of the application.
ZDI-09-034: Apple Safari SVG Set.targetElement() Memory Corruption
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-034
June 8, 2009
-- CVE ID:
CVE-2009-1709
-- Affected Vendors:
Apple
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ZDI-11-287 : Internet Explorer Select Element Cache Remote Code
Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-287
October 15, 2011
- -- CVE ID:
CVE-2011-1996
vulnerable installations of Apple Safari Webkit. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the library's implementation of a frame
element. When parsing a malformed document embedded inside an SVG
document, the library will create an anonymous block around a frame
element in the block's contents. When freeing this anonymous block via
an assignment to the read-only .textContent attribute, a reference to
one of the child elements will still exist. Accessing this child element
can then lead to code execution under the context of the application.
ZDI-10-096: Apple Webkit Recursive Use Element Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-096
June 8, 2010
-- CVE ID:
CVE-2010-1404
-- Affected Vendors:
Apple
ZDI-11-239: Apple Safari Webkit FrameOwner Element Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-239
July 27, 2011
-- CVE ID:
CVE-2011-0233
-- CVSS:
ZDI-10-153: Apple Webkit SVG Floating Text Element Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-153
August 11, 2010
-- CVE ID:
CVE-2010-1787
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-104: (Pwn2Own) Webkit CSS Text Element Count Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-104
April 14, 2011
-- CVE ID:
CVE-2011-1290
-- CVSS:
malicious page or open a malicious file.
The specific flaw exists within the way the WebKit library implements
the requirements required for a Runin box as outlined in the Visual
Formatting Model listed in the CSS 2.1 Specification. When promoting a
run-in element the application will incorrectly free one of the child
elements of the run-in. Later, when attempting to do layout for this
element, the application will access the freed element due to the
dangling reference. This can lead to code execution under the context of
the application.
code. This library mitigates against several issues independently
reported by Red Hat Security Response Team member Marc Schoenefeld
and Mozilla security researcher Christoph Diehl (CVE-2010-3768).
Security researcher wushi of team509 reported that when a XUL
tree had an HTML \<div\> element nested inside a \<treechildren\>
element then code attempting to display content in the XUL tree would
incorrectly treat the \<div\> element as a parent node to tree content
underneath it resulting in incorrect indexes being calculated for the
child content. These incorrect indexes were used in subsequent array
operations which resulted in writing data past the end of an allocated
ZDI-10-092: Apple Webkit Option Element ContentEditable Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-092
June 8, 2010
-- CVE ID:
CVE-2010-1396
-- Affected Vendors:
Apple
This vulnerability allows attackers to execute arbitrary code on
vulnerable software utilizing the Apple WebKit library. User interaction
is required to exploit this vulnerability in that the target must visit
a malicious page.
The specific flaw exists when the document.body element contains a
specific XML container containing various elements supporting the 'dir'
attribute. During the destruction of this element, if the rendering
object responsible for the element is being removed, the application
will then make a call to a method for an object that doesn't exist which
can lead to code execution under the context of the current user.
To exploit this issue the application that is using TCPDF must be
vulnerable to cross-site scripting inside their pdf generating
code.
The problem is caused by the TCPDF callback element that could be
injected into HTML code. The parsing of the callback element is
using the 'params' attribute inside an eval() statement without any
sanitation.
- --[ Affected Code
code. This library mitigates against several issues independently
reported by Red Hat Security Response Team member Marc Schoenefeld
and Mozilla security researcher Christoph Diehl (CVE-2010-3768).
Security researcher wushi of team509 reported that when a XUL
tree had an HTML \<div\> element nested inside a \<treechildren\>
element then code attempting to display content in the XUL tree would
incorrectly treat the \<div\> element as a parent node to tree content
underneath it resulting in incorrect indexes being calculated for the
child content. These incorrect indexes were used in subsequent array
operations which resulted in writing data past the end of an allocated
transmitted for any type of connection (http or https). This is the
only cookie one needs to authenticate to gmail.
This "Any type of connection" property allows an attacker execute a
cross site request forgery attack to inject spoofed
'http://mail.google.com' content elements or meta-refresh tags into
ANY WEB PAGE loaded by a user. Repeat: the user does NOT have to be
using gmail at the time, they just need to have a valid 'GX'
authentication cookie from a prior login, and then visit ANY WEBSITE.
Upon fetching/executing these injected elements, the browser will
transmit the 'GX' cookie in the clear for the load of the spoofed
code. This library mitigates against several issues independently
reported by Red Hat Security Response Team member Marc Schoenefeld
and Mozilla security researcher Christoph Diehl (CVE-2010-3768).
Security researcher wushi of team509 reported that when a XUL tree
had an HTML <div> element nested inside a <treechildren> element then
code attempting to display content in the XUL tree would incorrectly
treat the <div> element as a parent node to tree content underneath
it resulting in incorrect indexes being calculated for the child
content. These incorrect indexes were used in subsequent array
operations which resulted in writing data past the end of an allocated
vulnerable installations of Apple Safari Webkit. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the application's implementation of a
Frame element. When attaching this element to a document, the
application will duplicate a reference of an anonymous block. When
freeing the container holding the Frame element, the reference will
still be available. If an attacker can perform an explicit type change
of the contents the element this can then be leveraged to gain code
execution under the context of the application.
of previously freed memory which an attacker could use to crash a
victim's browser and run arbitrary code on the victim's computer
(CVE-2010-0175).
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative an error in the way <option> elements are inserted into
a XUL tree <optgroup>. In certain cases, the number of references
to an <option> element is under-counted so that when the element is
deleted, a live pointer to its old location is kept around and may
later be used. An attacker could potentially use these conditions to
run arbitrary code on a victim's computer (CVE-2010-0176).
Next Page>>
|
