Multiple browsers Fake files donwload Cross-site scripting

Thursday, August 28, 2008
Multiple browsers are afected by a issue wen try to download
a fake file, this is a simple study of this situation , and
how to take profit. All Browsers have a little system for
download files, wen we click in a link,and this link go to
a downloable file, the browsers show a dialog to open ,save,
or cancel the download.

Create a fake files with the follows extensions ,exe,com,jar,
bat,pdf,zip,rar,jpg,jpeg,gif,avi,wmv,wma,mpeg, and txt for
example...and inside write a javascript code like
"><script>alert(1)</script> and in the pdf file ,
write before script, the head for a pdf file %PDF- save al
files and create a html with links to fake files,for download it.

Wen we click in some of this links, some browsers fails
to determine what file type it´s and wen the file is open,
the script is executed. I have test it in tree posible
scenarios or i test the security browsers in tree Zones,
with multiple browsers , but the most important are in
the table.

Click In the image to enlarge
The first test is local file (LF) this is wen we use protocol
file:// (ej: file://c:/test/index.html) and the script is runing
with the same rights that the users logged.

The second test is in a intranet server (ID) it´s wen we visit
a page inside our intranet, and The script it´s running in the
context of security of intranet zone.

The third test is in a internet server (RD) it´s when we visit
a page outside our intranet, and The script it´s running in the
context of security ofinternet zone .

Affter test all, the most efective or secure browsers are ,
Mozilla Firefox and Flock browser, because they are non
afeccted by this issue in any zone, and the most insecure
is Avant browser and Maxthon Browser, because they are
vulnerables in the tree zones, this two browsers use explorer
modules, but explorer its vulnerable only in two zones.

This issue can use to execute XSS style attacks.

A malicious user can upload files to server or add downloads
to sites with the link to a fake file and wen a user try to
donwload it , if it navigate with a vulnerable browser in the
Zone, the script is executed with the rights of the affected Zone.

a example with moore comprensive table is available here POC

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....


http://usuarios.lycos.es/reyfuss/browsers/
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...