GreenBrowser About: dialog XSS and stored XSS
Vendor URL:http://www.morequick.com/
advisore: http://lostmon.blogspot.com/2012/03/greenbrowser-about-dialog-xss-and.html
Vendor notify:NO exploit available:yes
#######################################
GreenBrowser is your best choice of flexible and powerful green web browser. GreenBrowser is free to download and use.
GreenBrowser contains a two flaws that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the about: Uri dialog and last visited pages. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
Also the browser save the last URL visited and then, if a user create a crafted link and clin in, it is a stored XSS because when open the browser by default it open http://www.5igb.com/StartEn.htm and it have the last visited URL... The xss is executed in this URL :) page and browser not validate LastVisitWriteEn() before render to the user.
You can see this function here => http://www.5igb.com/function.js
#################
Proof of Concept
#################
create a html doc and write this code, click in the link and it execute the xss close the browser and open it again, in last visit pages we have the url of PoC and it executes the stored XSS
<html><body>
<a href='about:"><script>alert(1)</script>'>GreenBrowser about: handler XSS</a>
</body></html>
################
Versions afected
################
6.1.0117 (2012-01-17 10:22:02)
6.1.0216 (2012-02-16 21:37:10)
##################
Solution
###################
No solution was available at this time !!!
################ €nd ####################
-- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....