###########################################
Avant Browser browser:home Persistent XSS vulnerabilities
vendor url: http://www.avantbrowser.com/
Advisore: http://lostmon.blogspot.com/2009/07/
avant-browser-browserhome-persistent.html
vendor notify: NO exploit available: yes
############################################
#############
description
#############
Avant Browser´s user-friendly interface brings a new level
of clarity and efficiency to your browsing experience,and
frequent upgrades have steadily improved its reliability.
Avant Browser is freeware That's right. 100% Free!.
Avant Browse contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate properly the url links upon submission to the
history, bookmarks and top sites visited in browser:home page.
This could allow a user to create a specially crafted URL or a
bookmark that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server
wen try to load browser:home ,leading to a loss of integrity.
###############
version tested
###############
Avant Browser 11.7 build 35
#########
solution:
##########
Update to version 11.7 build 36
it is reported and tested that isn´t
vulnerable.
#############
timeline:
#############
discovered: 23-jul-2009
disclosure: 30 jul 2009
##################
testing
##################
Demostration Video => http://www.spymac.com/details/?2417793
Open Avant Browser and by default the browser load
'browser:home' page. in this page we can view tree
columns , 1 top sites 2 history and 3 recent bookmarks.
All tree colums are prone vulnerables to a xss let´s go
to demostrate it in the tree cases.
I make a web page posible vulnerable to a xss condition
<?
$cmd=$_GET[id]
?>
I place a online doc for demo here =>
http://usuarios.lycos.es/reyfuss/id.php?id=
open avant browser and navigate to
http://usuarios.lycos.es/reyfuss/id.php?id="><script>alert(1)</script>
wait until load , and them close the browser
or open Browser:home URI.
The script is executed and we have two columns afected,
the first and the second.
go to tools menu and delete history ...
open avant browser and go to
http://usuarios.lycos.es/reyfuss/id.php?id="><script>alert(1)</script>
rigth click and select add bookmark and add it.
load again browser:home and the xss is executed
in bookmarks column.
So if we for example like to deny the access to
browser:home we can load =>
http://usuarios.lycos.es/reyfuss/id.php?id="><script>window.close()</script>
and wen open the broser and load browser:home on load,
the script close it.
so if we like to denial the service we can load =>
http://usuarios.lycos.es/reyfuss/id.php?id="><script>while(1)alert(1)</script>
################ End #####################
thnx to estrella to be my ligth
thnx to Brink he is investigate with me.
thnx to all who day after day support me !!!
atentamente:
--
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente...