event handler
# Exploit Title: Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS
# Google Dork: "inurl:"sites/all/modules/ckeditor" -drupalcode.org"
# Google Results: Approximately 379.000 results
# Date: 18th January 2012
# Author: MaXe @InterN0T (Found in a private Hatforce.com Penetration
Test)
# Software Link: http://ckeditor.com/ & http://drupal.org/node/1332022
# Version: 3.0 - Current 3.6.2 (Drupal module: 6.x-1.8)
# Screenshot: http://i.imgur.com/8TP6w.png
# Tested on: Windows + FireFox 8.0 & Internet Explorer 8.0
networks from any website. It allows users to select
images from a website to be shared, which publishes
that image to their friends.
Security-Assessment.com discovered that Yoono's share
function is vulnerable to DOM event handler injection.
The vulnerability affects the DOM event handlers of
<img> tags which can be shared via Yoono.
Yoono's share function directly evaluates remotely
supplied content, within the privileged chrome
Use-after-free vulnerability in WebKit, allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) by setting an unspecified property of an HTML tag that causes child
elements to be freed and later accessed when an HTML error occurs, related to
"recursion in certain DOM event handlers."
CVE-2009-1698
WebKit does not initialize a pointer during handling of a Cascading Style Sheets
circumstances, and we presume that with enough effort at least some
of these could be exploited to run arbitrary code (CVE-2010-0173,
CVE-2010-0174)
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative that a select event handler for XUL tree items could be
called after the tree item was deleted. This results in the execution
of previously freed memory which an attacker could use to crash a
victim's browser and run arbitrary code on the victim's computer
(CVE-2010-0175).
circumstances, and we presume that with enough effort at least some
of these could be exploited to run arbitrary code (CVE-2010-0173,
CVE-2010-0174)
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative that a select event handler for XUL tree items could be
called after the tree item was deleted. This results in the execution
of previously freed memory which an attacker could use to crash a
victim's browser and run arbitrary code on the victim's computer
(CVE-2010-0175).
processing could lead to the execution of arbitrary code.
CVE-2011-2981
"moz_bug_r_a_4" discovered a Chrome privilege escalation
vulnerability in the event handler code.
CVE-2011-2982
Gary Kwong, Igor Bukanov, Nils and Bob Clary discovered memory
corruption bugs, which may lead to the execution of arbitrary code.
such as a <div>div</div>
</body>
</html>
You'd probably want to use a style attribute with your filtered
injection rather than event handler but I'm sure you don't need my
help for that.
- kuza55
2008/4/26 Kristian Erik Hermansen <kristian.hermansen@gmail.com>:
processing could lead to the execution of arbitrary code.
CVE-2011-2981
"moz_bug_r_a_4" discovered a Chrome privilege escalation
vulnerability in the event handler code.
CVE-2011-2982
Gary Kwong, Igor Bukanov, Nils and Bob Clary discovered memory
corruption bugs, which may lead to the execution of arbitrary code.
Security issues were identified and fixed in mozilla firefox:
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative that a flaw in the Mozilla SVG implementation could result
in an out-of-bounds memory access if SVG elements were removed during
a DOMAttrModified event handler (CVE-2011-3658).
Firefox prevents the dropping of javascript: links onto a frame
to prevent malicious sites from tricking users into performing
a cross-site scripting (XSS) attacks on themselves. Security
researcher Soroush Dalili reported a way to bypass this protection
browser, an unbranded version of the Firefox browser. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-1095
Michal Zalewski discovered that the unload event handler had access to
the address of the next page to be loaded, which could allow information
disclosure or spoofing.
CVE-2007-2292
suite, an unbranded version of the Seamonkey Internet Suite. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-1095
Michal Zalewski discovered that the unload event handler had access to
the address of the next page to be loaded, which could allow information
disclosure or spoofing.
CVE-2007-2292
Remote exploitation of a use after free vulnerability in Microsoft
Corp.'s Internet Explorer could allow an attacker to execute arbitrary
code with the privileges of the current user.
The vulnerability occurs when an HTML object with an
'onreadystatechange' event handler is not properly freed. This event is
used to perform actions when the state of some HTML object changes; for
example, when a form has data input. Specifically, when certain
properties of the object are changed, the event handler function object
is freed, but a reference to it remains. When the object is later
accessed, this invalid memory is treated as an object pointer, and one
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-1095
Michal Zalewski discovered that the unload event handler had access to
the address of the next page to be loaded, which could allow information
disclosure or spoofing.
CVE-2007-2292
processing could lead to the execution of arbitrary code.
CVE-2011-2981
"moz_bug_r_a_4" discovered a Chrome privilege escalation
vulnerability in the event handler code.
CVE-2011-2982
Gary Kwong, Igor Bukanov, Nils and Bob Clary discovered memory
corruption bugs, which may lead to the execution of arbitrary code.
ZDI-09-038: Microsoft Internet Explorer Event Handler Memory Corruption
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-038
June 10, 2009
-- CVE ID:
CVE-2009-1530
-- Affected Vendors:
Microsoft
|
