Next Page >>
event handlers
Cross Site Scripting: (requires administrator access - will not survive a login screen)
http://[HOST]/skybluecanvas/admin.php?mgroup=" onmouseover=alert(0) > &mgr=email&objtype=email&sub=viewemail&id=2
http://[HOST]/skybluecanvas/admin.php?mgroup=collections&mgr=" onmouseover=alert(0) > &com=manager
Impossible XSS: (XML errors or hidden tags preventing use of event handlers.)
http://[HOST]/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=XSS
http://[HOST]skybluecanvas/admin.php?mgroup=settings&mgr=configuration&objtype=">XSS
http://[HOST]/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=page&sub=editpage&id=" onfocus=alert(0) >
http://[HOST]/skybluecanvas/admin.php?mgrou=pictures&mgr=media&dir='XSS
Use-after-free vulnerability in WebKit, allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) by setting an unspecified property of an HTML tag that causes child
elements to be freed and later accessed when an HTML error occurs, related to
"recursion in certain DOM event handlers."
CVE-2009-1698
WebKit does not initialize a pointer during handling of a Cascading Style Sheets
-:: The Advisory ::-
Vulnerable Function / ID Calls:
search, tag, bookmark & "another function that registers all extra calls"
Cross Site Scripting: (by using event handlers)
http://[HOST]/webmediaexpl/htdocs/index.php?search=" onmouseover=alert(0) ---
-- Will be executed when a user moves his mouse over the search field.
http://[HOST]/webmediaexpl/htdocs/?tag=" onmouseover=alert(0) ---
-- Will be executed when a user moves his mouse over a tag.
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-1095
Michal Zalewski discovered that the unload event handler had access to
the address of the next page to be loaded, which could allow information
disclosure or spoofing.
CVE-2007-2292
ZDI-09-038: Microsoft Internet Explorer Event Handler Memory Corruption
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-038
June 10, 2009
-- CVE ID:
CVE-2009-1530
-- Affected Vendors:
Microsoft
suite, an unbranded version of the Seamonkey Internet Suite. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-1095
Michal Zalewski discovered that the unload event handler had access to
the address of the next page to be loaded, which could allow information
disclosure or spoofing.
CVE-2007-2292
Update Scanner performs input data filtering by
stripping <script> tags but this is not enough to
prevent
JavaScript code execution. For example, it is possible
to trigger JavaScript code execution by using event
handlers such as “onerror”.
+------------+
|Exploitation|
+------------+
through 2.2.1, Google Chrome 1.0.154.53, and possibly other products,
allows remote attackers to execute arbitrary code or cause a denial
of service (memory corruption and application crash) by setting an
unspecified property of an HTML tag that causes child elements to
be freed and later accessed when an HTML error occurs, related to
recursion in certain DOM event handlers. (CVE-2009-1690).
WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a
pointer during handling of a Cascading Style Sheets (CSS) attr function
call with a large numerical argument, which allows remote attackers to
circumstances, and we presume that with enough effort at least some
of these could be exploited to run arbitrary code (CVE-2010-0173,
CVE-2010-0174)
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative that a select event handler for XUL tree items could be
called after the tree item was deleted. This results in the execution
of previously freed memory which an attacker could use to crash a
victim's browser and run arbitrary code on the victim's computer
(CVE-2010-0175).
Flaws were discovered in the file upload form control. By tricking
a user into opening a malicious web page, an attacker could force
arbitrary files from the user's computer to be uploaded without their
consent. (CVE-2006-2894, CVE-2007-3511)
Michal Zalewski discovered that the onUnload event handlers were
incorrectly able to access information outside the old page content. A
malicious web site could exploit this to modify the contents, or
steal confidential data (such as passwords), of the next loaded web
page. (CVE-2007-1095)
The web management interface does not validate the origin of
administrator requests thus it is vulnerable to Cross Site
Request Forgery.
Successful exploitation may allow an attacker to execute code
on the target system via custom malicious event handlers
utilizing UNC paths.
Proof of concept:
http://<target>/AfariaAdmin/WebForms/ErrorHandler.aspx?msg=csrf
&ReloadLink=False
XPCNativeWrapper.
CVE-2008-1234
"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.
CVE-2008-1235
Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling can lead to cross-site
processing could lead to the execution of arbitrary code.
CVE-2011-2981
"moz_bug_r_a_4" discovered a Chrome privilege escalation
vulnerability in the event handler code.
CVE-2011-2982
Gary Kwong, Igor Bukanov, Nils and Bob Clary discovered memory
corruption bugs, which may lead to the execution of arbitrary code.
Various flaws were discovered in the layout and JavaScript engines.
By tricking a user into opening a malicious web page, an attacker could
execute arbitrary code with the user's privileges. (CVE-2007-5336,
CVE-2007-5339, CVE-2007-5340)
Michal Zalewski discovered that the onUnload event handlers were
incorrectly able to access information outside the old page content.
A malicious web site could exploit this to modify the contents, or steal
confidential data (such as passwords), of the next loaded web page.
(CVE-2007-1095)
Remote exploitation of a use after free vulnerability in Microsoft
Corp.'s Internet Explorer could allow an attacker to execute arbitrary
code with the privileges of the current user.
The vulnerability occurs when an HTML object with an
'onreadystatechange' event handler is not properly freed. This event is
used to perform actions when the state of some HTML object changes; for
example, when a form has data input. Specifically, when certain
properties of the object are changed, the event handler function object
is freed, but a reference to it remains. When the object is later
accessed, this invalid memory is treated as an object pointer, and one
Security issues were identified and fixed in mozilla firefox and
thunderbird:
The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and
SeaMonkey 2.5 does not properly interact with DOMAttrModified event
handlers, which allows remote attackers to cause a denial of service
(out-of-bounds memory access) or possibly have unspecified other
impact via vectors involving removal of SVG elements (CVE-2011-3658).
Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey
XPCNativeWrapper.
CVE-2008-1234
"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.
CVE-2008-1235
Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling could lead to cross-site
As this page cannot be viewed by the admin or other users, this only allows
quite unlikely attack scenarios, so the impact should be considered very low.
Vendor has released 1.7.1, which filters out HTML-tags and restricts the field
size to 10 chars. Filtering out HTML-tags alone does not help, as one can
still use JavaScript event handlers (e.g. onMouseOver), but 10 chars doesn't
allow any useful code to be injected. The proper solution would be escaping
the output including quotes. So this is fixed, but it's not a very clean
solution.
Disclosure Timeline
Security-Assessment.com discovered that ScribeFire is
vulnerable to multiple injection vulnerabilities which
can be exploited through a malicious image.
Cross-Site Scripting and HTML injection
vulnerabilities were discovered within the DOM event
handlers of <img> tags.
ScribeFire directly evaluates remotely supplied
content, within the privileged chrome context. This
can allow an image on a website to exploit users who
share it, and may lead to the complete compromise of
Description
===========
Mozilla developers fixed several bugs, including an issue with
modifying XPCNativeWrappers (CVE-2007-3738), a problem with event
handlers executing elements outside of the document (CVE-2007-3737),
and a cross-site scripting (XSS) vulnerability (CVE-2007-3736). They
also fixed a problem with promiscuous IFRAME access (CVE-2007-3089) and
an XULRunner URL spoofing issue with the wyciwyg:// URI and HTTP 302
redirects (CVE-2007-3656). Denials of Service involving corrupted
memory were fixed in the browser engine (CVE-2007-3734) and the
through 2.2.1, Google Chrome 1.0.154.53, and possibly other products,
allows remote attackers to execute arbitrary code or cause a denial
of service (memory corruption and application crash) by setting an
unspecified property of an HTML tag that causes child elements to
be freed and later accessed when an HTML error occurs, related to
recursion in certain DOM event handlers. (CVE-2009-1690)
WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a
pointer during handling of a Cascading Style Sheets (CSS) attr function
call with a large numerical argument, which allows remote attackers to
such as a <div>div</div>
</body>
</html>
You'd probably want to use a style attribute with your filtered
injection rather than event handler but I'm sure you don't need my
help for that.
- kuza55
2008/4/26 Kristian Erik Hermansen <kristian.hermansen@gmail.com>:
circumstances, and we presume that with enough effort at least some
of these could be exploited to run arbitrary code (CVE-2010-0173,
CVE-2010-0174)
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative that a select event handler for XUL tree items could be
called after the tree item was deleted. This results in the execution
of previously freed memory which an attacker could use to crash a
victim's browser and run arbitrary code on the victim's computer
(CVE-2010-0175).
networks from any website. It allows users to select
images from a website to be shared, which publishes
that image to their friends.
Security-Assessment.com discovered that Yoono's share
function is vulnerable to DOM event handler injection.
The vulnerability affects the DOM event handlers of
<img> tags which can be shared via Yoono.
Yoono's share function directly evaluates remotely
supplied content, within the privileged chrome
processing could lead to the execution of arbitrary code.
CVE-2011-2981
"moz_bug_r_a_4" discovered a Chrome privilege escalation
vulnerability in the event handler code.
CVE-2011-2982
Gary Kwong, Igor Bukanov, Nils and Bob Clary discovered memory
corruption bugs, which may lead to the execution of arbitrary code.
XPCNativeWrapper.
CVE-2008-1234
"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.
CVE-2008-1235
Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling can lead to cross-site
browser, an unbranded version of the Firefox browser. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-1095
Michal Zalewski discovered that the unload event handler had access to
the address of the next page to be loaded, which could allow information
disclosure or spoofing.
CVE-2007-2292
To clarify, I have three issues with your report:
1) Status bar text is inherently untrustworthy, not because of a
particular design or coding flaw in Firefox, but because of the
design of HTML, DOM, ECMAScript, and the like (event handlers,
dynamic update of link properties, etc). Much of the modern
Web relies on this design to deliver interactive UIs for web
applications, and this is a well-known and documented behavior that
is a part of accepted standards.
XPCNativeWrapper.
CVE-2008-1234
"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.
CVE-2008-1235
Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling can lead to cross-site
processing could lead to the execution of arbitrary code.
CVE-2011-2981
"moz_bug_r_a_4" discovered a Chrome privilege escalation
vulnerability in the event handler code.
CVE-2011-2982
Gary Kwong, Igor Bukanov, Nils and Bob Clary discovered memory
corruption bugs, which may lead to the execution of arbitrary code.
Next Page>>
|
