##########################################
Maxthon Browser URI about: Dialog XSS.
Vendor URL: http://www.maxthon.com/
Advisore:http://lostmon.blogspot.com/2008/09/
avant-browser-uri-about-dialog-xss_05.html
Vendor notify:yes exploit available:yes
##########################################
##########################
Vulnerability description
##########################
Maxthon Browser contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate In the URI dialog
'about:' This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser
and the server,leading loss ofintegrity.
#################
Versions
################·
Maxthon Browser 1.6.4 built 20 Vulnerable
Maxthon Browser 2.0.2.2961 Not vulnerable
Aparently in changelog of this version (2.0.2.2961)
The vendor has change some parts of about dialog ,them,
this vulnerability its pached after this version; but
before, prior versions can be vulnerables too.
ChangeLog from Maxthon:
http://www.maxthon.com/changelog.htm
###################
Solution
###################
Update to version 2.0.2.2961 or latest built.
###################
Timeline
##################
Dicovered:16-08-2008
vendor notify:05-09-2008
Vendor response:---
Public Disclosure:----
###################
Proof of Concept.
###################
#############
Test
#############
Put in your Maxthon Broser
about:"><script>alert(1)</script>
or create a link like
<a href='about:<a href='about:"><script>alert(1)</script>'>Maxthon Browser XSS</a>
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Avant Browser URI about: Dialog XSS
##########################################
Avant Browser URI about: Dialog XSS.
Vendor URL: http://www.avantbrowser.com/
Advisory:http://lostmon.blogspot.com/2008/09/
avant-browser-uri-about-dialog-xss.html
Vendor notify:Yes exploit available:yes
##########################################
##########################
Vulnerability description
##########################
Avant Browser contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate In the URI dialog
'about:' This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser
and the server,leading loss of integrity.
#################
Versions
################·
Avant Browser 11.6 built 20 vulnerable.
Avant Browser 11.6 built 7 vulnerable
###################
Solution
###################
No Solution at this time !!!
###################
Timeline
##################
Discovered:16-08-2008
vendor notify:05-09-2008
Vendor response:---
Public Disclosure:----
###################
Proof of Concept.
###################
#############
Test
#############
Put in your Avant Broser
about:"><script>alert(1)</script>
or create a link like
<a href='about:"><script>alert(1)</script>'>Avant Browser XSS</a>
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Avant Browser URI about: Dialog XSS.
Vendor URL: http://www.avantbrowser.com/
Advisory:http://lostmon.blogspot.com/2008/09/
avant-browser-uri-about-dialog-xss.html
Vendor notify:Yes exploit available:yes
##########################################
##########################
Vulnerability description
##########################
Avant Browser contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate In the URI dialog
'about:' This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser
and the server,leading loss of integrity.
#################
Versions
################·
Avant Browser 11.6 built 20 vulnerable.
Avant Browser 11.6 built 7 vulnerable
###################
Solution
###################
No Solution at this time !!!
###################
Timeline
##################
Discovered:16-08-2008
vendor notify:05-09-2008
Vendor response:---
Public Disclosure:----
###################
Proof of Concept.
###################
#############
Test
#############
Put in your Avant Broser
about:"><script>alert(1)</script>
or create a link like
<a href='about:"><script>alert(1)</script>'>Avant Browser XSS</a>
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Multiple browsers Fake files donwload Cross-site scripting
Thursday, August 28, 2008
Multiple browsers are afected by a issue wen try to download
a fake file, this is a simple study of this situation , and
how to take profit. All Browsers have a little system for
download files, wen we click in a link,and this link go to
a downloable file, the browsers show a dialog to open ,save,
or cancel the download.
Create a fake files with the follows extensions ,exe,com,jar,
bat,pdf,zip,rar,jpg,jpeg,gif,avi,wmv,wma,mpeg, and txt for
example...and inside write a javascript code like
"><script>alert(1)</script> and in the pdf file ,
write before script, the head for a pdf file %PDF- save al
files and create a html with links to fake files,for download it.
Wen we click in some of this links, some browsers fails
to determine what file type it´s and wen the file is open,
the script is executed. I have test it in tree posible
scenarios or i test the security browsers in tree Zones,
with multiple browsers , but the most important are in
the table.

Click In the image to enlarge
The first test is local file (LF) this is wen we use protocol
file:// (ej: file://c:/test/index.html) and the script is runing
with the same rights that the users logged.
The second test is in a intranet server (ID) it´s wen we visit
a page inside our intranet, and The script it´s running in the
context of security of intranet zone.
The third test is in a internet server (RD) it´s when we visit
a page outside our intranet, and The script it´s running in the
context of security ofinternet zone .
Affter test all, the most efective or secure browsers are ,
Mozilla Firefox and Flock browser, because they are non
afeccted by this issue in any zone, and the most insecure
is Avant browser and Maxthon Browser, because they are
vulnerables in the tree zones, this two browsers use explorer
modules, but explorer its vulnerable only in two zones.
This issue can use to execute XSS style attacks.
A malicious user can upload files to server or add downloads
to sites with the link to a fake file and wen a user try to
donwload it , if it navigate with a vulnerable browser in the
Zone, the script is executed with the rights of the affected Zone.
a example with moore comprensive table is available here POC
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
http://usuarios.lycos.es/reyfuss/browsers/
a fake file, this is a simple study of this situation , and
how to take profit. All Browsers have a little system for
download files, wen we click in a link,and this link go to
a downloable file, the browsers show a dialog to open ,save,
or cancel the download.
Create a fake files with the follows extensions ,exe,com,jar,
bat,pdf,zip,rar,jpg,jpeg,gif,avi,wmv,wma,mpeg, and txt for
example...and inside write a javascript code like
"><script>alert(1)</script> and in the pdf file ,
write before script, the head for a pdf file %PDF- save al
files and create a html with links to fake files,for download it.
Wen we click in some of this links, some browsers fails
to determine what file type it´s and wen the file is open,
the script is executed. I have test it in tree posible
scenarios or i test the security browsers in tree Zones,
with multiple browsers , but the most important are in
the table.
Click In the image to enlarge
The first test is local file (LF) this is wen we use protocol
file:// (ej: file://c:/test/index.html) and the script is runing
with the same rights that the users logged.
The second test is in a intranet server (ID) it´s wen we visit
a page inside our intranet, and The script it´s running in the
context of security of intranet zone.
The third test is in a internet server (RD) it´s when we visit
a page outside our intranet, and The script it´s running in the
context of security ofinternet zone .
Affter test all, the most efective or secure browsers are ,
Mozilla Firefox and Flock browser, because they are non
afeccted by this issue in any zone, and the most insecure
is Avant browser and Maxthon Browser, because they are
vulnerables in the tree zones, this two browsers use explorer
modules, but explorer its vulnerable only in two zones.
This issue can use to execute XSS style attacks.
A malicious user can upload files to server or add downloads
to sites with the link to a fake file and wen a user try to
donwload it , if it navigate with a vulnerable browser in the
Zone, the script is executed with the rights of the affected Zone.
a example with moore comprensive table is available here POC
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
http://usuarios.lycos.es/reyfuss/browsers/
PopnupBlog index.php multiple variables XSS
Monday, August 25, 2008
##########################################
PopnupBlog index.php multiple variables XSS
Vendor url:http://www.bluemooninc.biz/
Advisore:http://lostmon.blogspot.com/2008/08/
popnupblog-indexphp-multiple-variables.html
Vendor notify:no exploits availables:yes
##########################################
PopnupBlog contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'param' , 'cat_id' and
'view' variables upon submission to 'index.php' script.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.
##########
versions
##########
PopnupBlog 3.20 code name: Denali
Prior versions can be vulnerables too.
it affects This type CMS Systems if we
have instaled this module:
Xoops
e-xoops
ImpressCMS
Bcoos
and other that uses xoops code and this module.
############
Solution
############
No solution at this time !!!
But you can edit the source code and ix it like:
for fix 'param' open index.php and arround line 37 we have
[code]
$params = PopnupBlogUtils::getDateFromHttpParams();
$start = PopnupBlogUtils::getStartFromHttpParams();
$view = $BlogCNF['default_view'];
$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;
[/code]
add a line to force 'param' to return a integer:
[code]
$_GET['param'] = intval($_GET['param']);
$params = PopnupBlogUtils::getDateFromHttpParams();
$start = PopnupBlogUtils::getStartFromHttpParams();
$view = $BlogCNF['default_view'];
$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;
[/code]
for fix 'cat_id' and 'view' open index.php and arround line 129 :
[code]
$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email
$cat_id=0;
if (isset($_GET['cat_id'])) $cat_id = $_GET['cat_id'];
if (isset($_POST['cat_id'])) $cat_id = $_POST['cat_id'];
$xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));
if (isset($_GET['view'])) $view = $_GET['view'];
if (isset($_POST['view'])) $view = $_POST['view'];
[/code]
add intval to force variables to return an integer like:
[code]
$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email
$cat_id=0;
if (isset($_GET['cat_id'])) $cat_id = intval($_GET['cat_id']);
if (isset($_POST['cat_id'])) $cat_id = intval($_POST['cat_id']);
$xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));
if (isset($_GET['view'])) $view = intval($_GET['view']);
if (isset($_POST['view'])) $view = intval($_POST['view']);
[/code]
###########
Examples
###########
http://localhost/modules/popnupblog/index.php?param=1
">[XSS-CODE]&start=0,10&cat_id=&view=1
http://localhost/modules/popnupblog/index.php?param=
&start=0,10&cat_id=">[XSS-CODE]&view=1
http://localhost/modules/popnupblog/index.php?param=
&start=0,10&cat_id=&view=1">[XSS-CODE]
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
PopnupBlog index.php multiple variables XSS
Vendor url:http://www.bluemooninc.biz/
Advisore:http://lostmon.blogspot.com/2008/08/
popnupblog-indexphp-multiple-variables.html
Vendor notify:no exploits availables:yes
##########################################
PopnupBlog contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'param' , 'cat_id' and
'view' variables upon submission to 'index.php' script.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.
##########
versions
##########
PopnupBlog 3.20 code name: Denali
Prior versions can be vulnerables too.
it affects This type CMS Systems if we
have instaled this module:
Xoops
e-xoops
ImpressCMS
Bcoos
and other that uses xoops code and this module.
############
Solution
############
No solution at this time !!!
But you can edit the source code and ix it like:
for fix 'param' open index.php and arround line 37 we have
[code]
$params = PopnupBlogUtils::getDateFromHttpParams();
$start = PopnupBlogUtils::getStartFromHttpParams();
$view = $BlogCNF['default_view'];
$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;
[/code]
add a line to force 'param' to return a integer:
[code]
$_GET['param'] = intval($_GET['param']);
$params = PopnupBlogUtils::getDateFromHttpParams();
$start = PopnupBlogUtils::getStartFromHttpParams();
$view = $BlogCNF['default_view'];
$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;
[/code]
for fix 'cat_id' and 'view' open index.php and arround line 129 :
[code]
$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email
$cat_id=0;
if (isset($_GET['cat_id'])) $cat_id = $_GET['cat_id'];
if (isset($_POST['cat_id'])) $cat_id = $_POST['cat_id'];
$xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));
if (isset($_GET['view'])) $view = $_GET['view'];
if (isset($_POST['view'])) $view = $_POST['view'];
[/code]
add intval to force variables to return an integer like:
[code]
$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email
$cat_id=0;
if (isset($_GET['cat_id'])) $cat_id = intval($_GET['cat_id']);
if (isset($_POST['cat_id'])) $cat_id = intval($_POST['cat_id']);
$xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));
if (isset($_GET['view'])) $view = intval($_GET['view']);
if (isset($_POST['view'])) $view = intval($_POST['view']);
[/code]
###########
Examples
###########
http://localhost/modules/popnupblog/index.php?param=1
">[XSS-CODE]&start=0,10&cat_id=&view=1
http://localhost/modules/popnupblog/index.php?param=
&start=0,10&cat_id=">[XSS-CODE]&view=1
http://localhost/modules/popnupblog/index.php?param=
&start=0,10&cat_id=&view=1">[XSS-CODE]
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)