Next Page >>
javascript
-----Original Message-----
From: Core Security Technologies Advisories [mailto:advisories@coresecurity.com]
Sent: Tuesday, September 25, 2007 6:21 PM
To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk; vulnwatch@vulnwatch.org; NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: CORE-2007-0817: Remote Command execution, HTML and JavaScript injection vulnerabilities in AOL's Instant Messaging software
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies – CoreLabs Advisory
Hash: SHA1
Core Security Technologies – CoreLabs Advisory
http://www.coresecurity.com/corelabs
Remote command execution, HTML and JavaScript injection vulnerabilities in
AOL’s Instant Messaging software
*Advisory Information*
Title: Remote Command execution, HTML and JavaScript injection
Google V8 Server-Side JavaScript Injection joins the set of web
application security vulnerabilities
TIME-BASED PHP V8JS INJECTION & NOSQL/SSJS INJECTION
Detecting server-side JavaScript (SSJS) injection vulnerabilities using
time-based techniques. Article by Felipe Aragon - February 25, 2012
This article, which is an update of an article that we originally
published on December 18, 2011, intends to highlight the risk of
After a standard system upgrade you need to restart Thunderbird to effect
the necessary changes.
Details follow:
Several flaws were discovered in the browser engine. If a user had Javascript
enabled, these problems could allow an attacker to crash Thunderbird and
possibly execute arbitrary code with user privileges. (CVE-2008-5500)
Boris Zbarsky discovered that the same-origin check in Thunderbird could be
bypassed by utilizing XBL-bindings. If a user had Javascript enabled, an
Advisory: IceWarp WebMail Server: Cross Site Scripting in Email View
During a penetration test, RedTeam Pentesting discovered that the IceWarp
WebMail Server is prone to Cross Site Scripting attacks in its email view.
This enables attackers to send emails with embedded JavaScript code,
for example, to steal users' session IDs.
Details
=======
After a standard system upgrade you need to restart Thunderbird to effect
the necessary changes.
Details follow:
Several flaws were discovered in the browser engine. If a user had Javascript
enabled, these problems could allow an attacker to crash Thunderbird and
possibly execute arbitrary code with user privileges. (CVE-2008-5500)
Boris Zbarsky discovered that the same-origin check in Thunderbird could be
bypassed by utilizing XBL-bindings. If a user had Javascript enabled, an
Overview
========
A stored XSS vulnerability exists in Microsoft Windows SharePoint
Services 2.0 where a malicious user can bypass sanitization and inject
javascript into a web page they are editing. Under normal circumstances,
SharePoint does not permit users to include javascript in any submitted
content.
Impact
Hello Michal!
First I note, that when I'll find time, I'll answer at your previous comment
about redirection to javascript: URIs in different browsers.
Second I note, that, please, write about something new, not about that I
already mentioned in my advisory ;-).
> "Refresh" or "Location" redirection in Firefox will not bestow a
...
1. XSS 1
A HTTP GET request against the following URL will, on a web browser
with Javascript support, cause a dialog box saying '1' to be displayed:
http://CACTIHOST/graph.php?action=zoom&local_graph_id=1&graph_end=1%27%20style=visibility:hidden%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cx%20y=%27
This vulnerability is only exploitable if the victim is allowed to view
graphs. This will be true if the victim has previously authenticated
in the current tab.
* As a last resort, it loads the URL in the current tab.
The Browser app uses the WebView class as the underlying engine. If the WebView
class has already loaded a URL, and the same instance is used to load a
javascript:// URI, then the javascript is executed in the domain of the loaded
URL. This is the desired behavior, as it allows applications to inject scripts
into loaded pages, and control the WebView. However, this means that the
browser must take special care if it reuses the same WebView instance, in order
to avoid a Cross-Application Scripting vulnerability.
> The best way to defend against any Cross Site Scripting attacks is to
> sanitize all inputs and outputs properly on your website
XSS vulnerabilities must be fixed and when they are made at web sites, then
they must be fixed at web sites. But in this case browsers developers made
XSS holes (JavaScript execution) in redirectors, so they just from
Redirector vulnerability (which can be used for redirection to malicious
sites and some other attacks) also become XSS (JavaScript execution)
vulnerability. And there are a lot of redirectors (open ones) in Internet,
as refresh-header redirectors, as location-header redirectors. So these XSS
holes better to fix in browsers, because web developers will be fixing them
After a standard system upgrade you need to restart Thunderbird to effect
the necessary changes.
Details follow:
Several flaws were discovered in the JavaScript engine of Thunderbird. If a
user had JavaScript enabled and were tricked into viewing malicious web
content, a remote attacker could cause a denial of service or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1303, CVE-2009-1305, CVE-2009-1392, CVE-2009-1833,
CVE-2009-1838)
malicious website, an attacker could obtain private information from data
stored in the images, or discover information about software on the user's
computer. (CVE-2008-5012)
Jesse Ruderman discovered that Thunderbird did not properly guard locks on
non-native objects. If a user had JavaScript enabled and were tricked into
opening malicious web content, an attacker could cause a browser crash and
possibly execute arbitrary code with user privileges. (CVE-2008-5014)
Several problems were discovered in the browser, layout and JavaScript engines.
If a user had JavaScript enabled, these problems could allow an attacker to
effect the necessary changes.
Details follow:
It was discovered that the same-origin check in Thunderbird could
be bypassed. If a user had JavaScript enabled and were tricked into
opening a malicious website, an attacker may be able to execute
JavaScript in the context of a different website. (CVE-2008-3835)
Several problems were discovered in the browser engine of
Thunderbird. If a user had JavaScript enabled, this could allow an
-----Original Message-----
From: Inferno [mailto:inferno@securethoughts.com]
Sent: Thursday, August 20, 2009 2:18 AM
To: bugtraq@securityfocus.com
Subject: Bypassing OWASP ESAPI XSS Protection inside Javascript
Bypassing OWASP ESAPI XSS Protection inside Javascript
------------------------------------------------------
By Inferno (inferno {at} securethoughts {dot} com)
overflow in the parser for UTF-8 URLs, which may lead to the execution
of arbitrary code. (MFSA 2008-37)
CVE-2008-1380
It was discovered that crashes in the Javascript engine could
potentially lead to the execution of arbitrary code. (MFSA 2008-20)
CVE-2008-3835
"moz_bug_r_a4" discovered that the same-origin check in
3.5 and Safari 4 are resilient to the exploits mentioned below.
IV. DESCRIPTION
-------------------------
Google Chrome and Opera’s inbuilt RSS/ATOM Reader renders untrusted
javascript in an RSS/ATOM feed.
Exploit Scenarios
1. Scenario 1 –
1. Attacker social engineers a victim user to visit a rss/atom feed
link pointing to his or her evil site.
RSS Feed Reader
During a penetration test, RedTeam Pentesting discovered that the
IceWarp WebMail Server is prone to user-assisted Cross Site Scripting
attacks in its RSS feed reader. If attackers control or compromise an
RSS feed users are subscribed to, they can run arbitrary JavaScript code
in the users' browsers by embedding it within the feed.
Details
=======
arbitrary code. (MFSA 2008-21)
CVE-2008-2799
Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in
the Javascript engine, which might allow the execution of arbitrary
code. (MFSA 2008-21)
CVE-2008-2800
"moz_bug_r_a4" discovered several cross-site scripting vulnerabilities.
Boris Zbarsky discovered that the same-origin check in Firefox could be
bypassed by utilizing XBL-bindings. An attacker could exploit this to read data
from other domains. (CVE-2008-5503)
Several problems were discovered in the JavaScript engine. An attacker could
exploit feed preview vulnerabilities to execute scripts from page content with
chrome privileges. (CVE-2008-5504)
Marius Schilder discovered that Firefox did not properly handle redirects to
an outside domain when an XMLHttpRequest was made to a same-origin resource.
(CVE-2008-5014)
Luke Bryan discovered that Firefox sometimes opened file URIs with
chrome privileges. If a user saved malicious code locally, then opened
the file in the same tab as a privileged document, an attacker could
run arbitrary JavaScript code with chrome privileges. This issue only
affects Firefox 3.0. (CVE-2008-5015)
Several problems were discovered in the browser, layout and JavaScript
engines. These problems could allow an attacker to crash the browser
and possibly execute arbitrary code with user privileges.
effect the necessary changes.
Details follow:
Various flaws were discovered in the browser engine. If a user had
Javascript enabled and were tricked into opening a malicious web
page, an attacker could cause a denial of service via application
crash, or possibly execute arbitrary code with the privileges of the
user invoking the program. (CVE-2008-2798, CVE-2008-2799)
It was discovered that Thunderbird would allow non-privileged XUL
I. Vulnerability Description
The OS X Software Update mechanism uses so called `distribution packages' [1],
which basically consist of two parts. The XML `catalog file', which lists the
available updates and the `distribution definition files' [1], which contain
information encoded in XML and JavaScript, defining every aspect of the
user experience, when installing an update.
When OS X checks for new updates, it first contacts swscan.apple.com
to receive the XML catalog file. This file references the distribution
definition files, which can reside on another server. Software Update
Hello,
I have seen many web-sites include Javascript hosted by 3rd parties
especially over the last year. It seems that 3rd parties use this fact
in their marketing to convince others that this is good. The 3rd
parties usually don't provide any security assurances or evaluations.
One should consider the 3rd party as less secure then for example a
highly federally regulated entity unless the 3rd party can produce
documentation and certified audits to the contrary.
The nsIScriptableUnescapeHTML.parseFragment method in the
ParanoidFragmentSink protection mechanism in Mozilla Firefox before
3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey
before 2.0.12 does not properly sanitize HTML in a chrome document,
which makes it easier for remote attackers to execute arbitrary
JavaScript with chrome privileges via a javascript: URI in input to
an extension, as demonstrated by a javascript:alert sequence in (1)
the HREF attribute of an A element or (2) the ACTION attribute of a
FORM element. (CVE-2010-1585)
Buffer overflow in Mozilla Firefox before 3.5.17 and 3.6.x before
Advisory: Client Side Authorization ZyXEL ZyWALL USG Appliances Web
Interface
The ZyXEL ZyWALL USG appliances perform parts of the authorization for
their management web interface on the client side using JavaScript. By
setting the JavaScript variable "isAdmin" to "true", a user with limited
access gets full access to the web interface.
Details
============================================================================
Foofus.net Security Advisory: foofus-20110610
============================================================================
Title: Javascript Injection in Microsoft Lync
Version: 4.0.7577.0
Vendor: Microsoft
Release Date: 2010-06-10
Issue Status: Fix available
============================================================================
RedTeam Pentesting discovered a Cross-Site Scripting (XSS) vulnerability
in Bugzilla's chart generator during a penetration test. If attackers
can persuade users to click on a prepared link or redirected them to
such a link from an attacker-controlled website, they are able to run
arbitrary JavaScript code in the context of the Bugzilla installation's
domain.
Details
=======
[2] http://jdownloader.org/knowledge/wiki/glossary/click-n-load
[3] http://jdownloader.org/knowledge/wiki/glossary/cnl2
- -- Vulnerability
The transmitted key can be plaintext or javascript code that is then
executed by JDownloader with the Mozilla Rhino Javascript
implementation. Here is the code for this: (plugins/
JDExternInterface.jar / JDExternInterface.java)
String jk = Encoding.urlDecode(request.getParameters().get("jk"), false);
Bypassing OWASP ESAPI XSS Protection inside Javascript
------------------------------------------------------
By Inferno (inferno {at} securethoughts {dot} com)
Everyone knows the invaluable XSS cheat sheet maintained by "RSnake". It is
all about breaking things and features all the scenarios that can result in
XSS. To complement his efforts, there is an excellent XSS prevention cheat
sheet created by "Jeff Williams" (Founder and CEO, Aspect Security). As far
as I have seen, this wiki page provides the most comprehensive information
on protecting yourself from XSS on the internet. It advises using the OWASP
Next Page>>
|
