Next Page >>
page
- -----------/
It allows to set the MIME type (in the type attribute) of an externally
referenced file in the data attribute which will be loaded as an object.
4. Internet Explorer behaves in a slightly different way when
displaying a page directly rather than displaying that page inside an
HTML '<frame>' tag. For example, a page containing an HTML '<object>'
tag like the one shown below will prompt the user to accept the download
of file being referenced inside if loaded directly but it will be
automatically downloaded and rendered according to the specified MIME
type if the page is loaded inside an HTML '<frame>' tag.
Opera browser is vulnerable to stored Cross Site
Scripting. A malicious attacker is able to inject
arbitrary browser content through the
websites visited with the Opera browser. The code
injection is rendered into the Opera History Search
page which displays URL and a short
description of the visited pages.
== Bug Analysis ==
Opera.exe imports Opera.dll which handles most of the
Release Date: 04/08/2008
Title: Microsoft Windows SharePoint Services Picture Source XSS
Application/OS: Microsoft Windows SharePoint Services 2.0
Topic: A stored Cross Site Scripting (XSS) attack is possible
in Microsoft SharePoint Services 2.0 via picture object
source when adding a picture object to a page.
Vendor Status: Not Notified
Attributes: XSS, Web Service, Microsoft Tuesday
Advisory URL: http://www.caughq.org/advisories/CAU-2008-0002.txt
Author/Email: OneIdBeagl3 <oneidbeagl3 (at) caughq.org>
===============/========================================================
The latest version at the time of writing can be obtained from:
http://dist.codehaus.org/jetty/jetty-7.0.0/jetty-hightide-7.0.0.v2009100
5.tar.gz
Running Jetty 7.0.x is very easy, from the documentation page at:
http://docs.codehaus.org/display/JETTY/Running+Jetty-7.0.x
- From an unpacked release directory of jetty-7,
the server can be started with the command: java -jar start.jar
transferring data across domains, allowing them to interact with each other.
The Anti-XSS filter has been found to have some security holes in the
current implementation. Microsoft decided to filter "Type 1 XSS" which is
free text send to the server being reflected to the user and therefore
injecting HTML code into the website's page. They chose not to handle
certain situations such as injection into a JavaScript tag space, which
would be extremely difficult to filter. The software giant also chose not
to filter injection into HTTP headers, which will drive hackers to focus on
discovering CRLF vulnerabilities.
===============
Three separate issues have been identified:
1. Unauthenticated Guest Access
-------------------------------
It is possible for unauthenticated users to access certain pages with guest
privileges (according to Oracle's security representative - this is a
standard functionality of this component). While some pages may not be
directly accessible as a guest in this manner, this can be bypassed by
taking advantage of the session management behavior in the application.
Description
===========
Multiple vulnerabilities have been discovered in Opera:
* Opera does not restrict the ability of a framed web page to change
the address associated with a different frame (CVE-2008-4195).
* Chris Weber (Casaba Security) discovered a Cross-site scripting
vulnerability (CVE-2008-4196).
Description:
================
Multiple XSS vulnerabilities exist within Nagios XI. It is entirely likely this
list is non-exhaustive, due to the sheer number of issues. Of particular note
is XSS on the login page, and the ability to pass XSS through the login page,
using the redirect parameter, e.g.
http://site/nagiosxi/login.php?redirect=nagiosxi/reports/histogram.php?service="><script>alert("0a29")</script>
Tested against 2011R1.8, dated October 28, 2011. Fixes detailed in
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT (2011R1.9
google dork: "PHPWebAdmin for hMailServer" intitle:PHPWebAdmin -site:hmailserver.com -dork
poc:
regardless of register_globals & magic_quotes_gpc:
http://hostname/path_to_webadmin/index.php?page=background/../../../../../../../../boot.ini%00
http://hostname/path_to_webadmin/index.php?page=background/../../Bin/hMailServer.INI%00
http://hostname/path_to_webadmin/index.php?page=background/../../MySQL/my.ini%00
http://hostname/path_to_webadmin/index.php?page=background/../../../../../../../..
/../Program+Files/hmailserver/Bin/hmailserver.ini%00
A HTTP Response splitting vulnerability was discovered in ArubaOS's
Captive Portal Web
Interface where an attacker might be able to force authenticated
captive portal users to
bypass the custom welcome page post authentication and redirect them
to a site of
attacker's choice.
AFFECTED VERSIONS
I'm sorry if this response sounds harsh, but phrases such as "critical
vulnerability" and "compromise web applications" caught my eye.
The paper seems to focus on collecting information by navigating to
pages that will conditionally redirect the browser somewhere else
through certain types of client-side navigation (but as I understand
it, not the more common HTTP 30x responses?). By looking at history.*,
the attacking site may detect whether the redirect happened or not.
The paper then enumerates a number of scenarios where this would be of
GreenBrowser searchbar <iframe> content Double Free Vulnerability
------------------------------------------------------------------
I. Summary
All versions of GreenBrowser is prone to a vulnerability which leads to arbitrary code execution. A Double Free of iframe object is triggered by its shortcut button F6 (use to search the content of current page). A simple poc html that cause the corruption contains: <iframe src="Any_File_Will_Do.swf"></iframe>
Other file extension such as xml may tigger this corruption either. Open this page and press F6 (this is the shortcut button to use searchbar), then press F5 to refresh this page, an error window of memory corruption will pop up. Close this page, close the whole GreenBrowser or jump to another page also trigger the problem since this double free occurs when iframe object is released.
------------------------------------------------------------------
II. Description
GreenBrowser is a IEcore based browser. A specified crafted page could lead to the execution of shellcode. Using some JavaScript to refresh the page can let shellcode execute automatically after a press of F6.
Search bar exists in many browsers, used mostly for a quick search over different searching engine such as Google and Bing. GreenBrowser defines a shortcut button F6 used to search the content of current web page (including the content inside iframe) for text inside the search bar. After a press of F6 for a web page with a iframe points to a flash or xml, GreenBrowser will call ieframe.dll!CFindEngine::DisconnectDocument then mshtml.dll!CDocument::PrivateRelease. When the page is refreshing or closing, GreenBrowser will call mshtml.dll!CDocument::PrivateRelease to release the iframe object again. Since CDocument object has already been released once, another call of CDocument::PrivateRelease will use a released memory (could be shellcode using HeapSpray) as virtual function table, thus leading to a code execution vulnerability. Advanced memory attacking techniques such as HeapFengShui or JIT-Spray could be used to build a stable exploit.
Description
***********
Tuned Studios Templates has Local File Include vulnerability in page phpversion/index.php
Details
*******
http://[server]/[installdir]/modules/news/index.php/"><script>alert('DSecRG_XSS')</script>
--------------------------------------------------------------------------------------------
4. Image XSS vulnerability in page edituser.php, attacker can upload avatar picture with XSS code:
Example:
More info: http://www.dsec.ru/about/articles/web_xss/ (in Russian)
powered by PHP and MySQL.
Credit: Jonathan Claudius of Trustwave SpiderLabs
Finding 1: PHP Code Execution and Persistent Cross Site Scripting
Vulnerabilities via 'setup-config.php' page.
CVE: CVE-2011-4899
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. This typically requires a user
to have valid MySQL credentials to complete. However, a malicious user can
of these could be exploited to run arbitrary code (CVE-2010-0165,
CVE-2010-0167).
Mozilla developer Josh Soref of Nokia reported that documents
failed to call certain security checks when attempting to preload
images. Although the image content is not available to the page, it
is possible to specify protocols that are normally not allowed in a
web page such as file:. This includes internal schemes implemented
by add-ons that might perform privileged actions resulting in
something like a Cross-Site Request Forgery (CSRF) attack against
the add-on. Potential severity would depend on the add-ons installed
of these could be exploited to run arbitrary code (CVE-2010-0165,
CVE-2010-0167).
Mozilla developer Josh Soref of Nokia reported that documents
failed to call certain security checks when attempting to preload
images. Although the image content is not available to the page, it
is possible to specify protocols that are normally not allowed in a
web page such as file:. This includes internal schemes implemented
by add-ons that might perform privileged actions resulting in
something like a Cross-Site Request Forgery (CSRF) attack against
the add-on. Potential severity would depend on the add-ons installed
http://www.hacktics.com/content/advisories/AdvORA20100209.html
===============
II. The Finding
===============
The XSS vulnerability appears in the error details page,
OAErrorDetailPage.jsp when the server is in diagnostics mode, and requires
an additional preliminary step to invoke. When an application error occurs,
the application presents a general error message with a link to the detailed
error page. The detailed error page is vulnerable to scripting attacks
embedded in input sent to the page that caused the error. An attacker can
colorMap=0x81f8ea0, maskColors=0x0, inlineImg=0) at SplashOutputDev.cc:2048
#3 0x080601d9 in Gfx::doImage (this=0x81e5528, ref=0xbfffeebc, str=0x81f0960, inlineImg=0) at Gfx.cc:3657
#4 0x08066799 in Gfx::opXObject (this=0x81e5528, args=0xbfffef34, numArgs=1) at Gfx.cc:3330
#5 0x080612bd in Gfx::go (this=0x81e5528, topLevel=1) at Gfx.cc:581
#6 0x080615ea in Gfx::display (this=0x81e5528, obj=0xbffff1ac, topLevel=1) at Gfx.cc:553
#7 0x080a55cb in Page::displaySlice (this=0x81df9f0, out=0x81bd0f8, hDPI=90, vDPI=90, rotate=0, useMediaBox=0, crop=1, sliceX=0, sliceY=0, sliceW=744,
sliceH=1052, printing=0, catalog=0x81de638, abortCheckCbk=0, abortCheckCbkData=0x0) at Page.cc:317
#8 0x080aa485 in PDFCore::needTile (this=0x81bcab8, page=0x81e5468, x=0, y=0) at PDFCore.cc:835
#9 0x080abc77 in PDFCore::update (this=0x81bcab8, topPageA=1, scrollXA=0, scrollYA=0, zoomA=125, rotateA=0, force=1, addToHist=1) at PDFCore.cc:658
#10 0x080de837 in XPDFCore::update (this=0x81bcab8, topPageA=1, scrollXA=0, scrollYA=0, zoomA=125, rotateA=0, force=1, addToHist=1) at XPDFCore.cc:285
#11 0x080a6861 in PDFCore::displayPage (this=0xbfffe88c, topPageA=1, zoomA=125, rotateA=0, scrollToTop=1, addToHist=1) at PDFCore.cc:292
Hijacking Opera's Native Page using malicious RSS payloads
----------------------------------------------------------------------------
---------
For complete post (with images), please visit -
http://securethoughts.com/2009/10/hijacking-operas-native-page-using-malicio
us-rss-payloads/
Well, this one is a continuation of my previous post on Cross Site Scripting
issues relating to RSS feed readers. In that post, I mentioned Scenario (3),
but didn't discuss any details or PoC since Opera Team was actively fixing
CVE Name: CVE-2008-3480
*Vulnerability Description*
Anzio Web Print Object (WePO) is a Windows ActiveX web page component
that, when placed on a web page can "push" a print job from a file or
web server to a user's local printer without having to display the HTML
equivalent to that user. By placing WePO code on a web page, you can
provide a method whereby the viewer of that web page can request a local
print of a host resident print job, archived print job or a report
project provides audio device support for Linux systems. More
information can be found at the URLs shown below.
http://kernel.org/
http://www.alsa-project.org/main/index.php/Main_Page
II. DESCRIPTION
Local exploitation of an information disclosure vulnerability within the
ALSA driver included in the Linux Kernel allows attackers to obtain
"Owl is a multi user document repository (knowledge base) system written
in PHP for publishing files/documents onto the web for a corporation,
small business, group of people, or just for yourself."
(From the vendor's homepage)
More Details
============
directories via directory traversal attacks.
Successful exploitation of this vulnerability requires administrative
privileges.
7) Input passed via the "from" parameter to index.php (when "page" is
set to "sql_postfach" and "action" is set to "new") is not properly
verified before being used to send mails to users. This can be
exploited to e.g. spoof mails from the administrator.
8) Input passed via the "to", "betreff", and "elm1" parameters to
http://localhost/test/cutenews/index.php?mod=editnews&action=list&cat_msg=%3Cscript%3Ealert(/xss/);%3C/script%3E
http://localhost/test/cutenews/index.php?mod=editnews&action=list&source_msg=%3Cscript%3Ealert(/xss/);%3C/script%3E
http://localhost/test/cutenews/index.php?mod=editnews&action=list&postponed_selected=%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
http://localhost/test/cutenews/index.php?mod=editnews&action=list&unapproved_selected=%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
http://localhost/test/cutenews/index.php?mod=editnews&action=list&news_per_page=%3Cscript%3Ealert(/xss/);%3C/script%3E
8.7.2 Vulnerable packages
1.4.6, UTF-8
I. BACKGROUND
HTML+TIME (HTML Timed Interactive Multimedia Extensions)is a web
standard that was created for Microsoft Corp.'s Internet Explorer (IE)
to allow web page authors to create timed animation content on a web
page. This is accomplished using an XML like markup that makes use of
HTML+TIME properties and elements. Internet Explorer supports this
markup standard, and also exposes a scripting interface for interacting
with the HTML+TIME elements on the page. For more information, please
see the vendor's web page at the following link:
Conventions:
Attacker Domain - Securethoughts.com
Target Domain - 50webs.com
If you don’t remember, there was an important XSS vulnerability reported in all major browsers a while ago - IE7, Firefox and Opera. More Information is available in the Secunia advisories http://secunia.com/advisories/search/?search=utf-7+charset+inheritance. The vulnerability was that if you don’t specify a charset in your application page, then it is susceptible to inherit the charset in the parent page via iframes. So, if you accidently land on an evil site, an attacker might be able to steal your application session since your usual XSS prevention stuff [<,>,",',etc] will not filter the utf-7 encoded chars and XSS will execute in your vulnerable domain. Proof of Concept that works in IE7 but not in IE8 -
http://www.securethoughts.com/security/ie8utf7/ie7utf-7.html
This vulnerability was patched in Firefox 2.0.0.2, Opera 9.20 and recently in Internet Explorer 8. Ideally, we should not be vulnerable to this attack anymore. However, I have found a way to attack the fix that was done in Internet Explorer 8. I have tested it working with IE8 RC1 and final release version IE8.0.6001.18702. I call this a “Local Redirection Attack”.
The attack works as follows:
Main application: BPET36H
Released: 03-20-08
Rev: 54
Risk: Low - Moderate
High if Web Access is in active use and
access to login page is unrestricted
Vendor Status: Vendor notified, patch available.
References: http://www.louhinetworks.fi/advisory/ibm_090409.txt
Affected devices (from vendor):
IBM BladeCenter E (1881, 7967, 8677)
3. *Vulnerability Description*
Foxit Reader is a lightweight, free PDF document viewer and printer. PDF
files may include actions (i.e., 'Go to a page view', 'Open/Execute a
file', 'Open a web link', 'Execute a menu item') associated with
different triggers (i.e., 'Mouse Up', 'Mouse Down', 'Page Visible',
'Page Invisible'). The way Foxit Reader handles an 'Open/Execute a file'
action makes the software victim of two kinds of vulnerabilities:
authorization bypass and buffer overflow.
> controls without "preceding comment", why use the preceding comment
> at all ?
I understand reasons of your question :-). It's because in this article I
didn't wrote in detail about Saved XSS hole in IE (I referred to original
post about it). When using this XSS, after saving page, IE put comment into
saved file (where XSS code is also put and here these hole appears). So with
this hole we always will have preceding comment. And with bug which
Microsoft made in IE :-) it'll be needed to use my patch for this bug
(setting this option).
Next Page>>
|
