Bing.com WebmasterAuthenticationInformationPage.aspx XSS

Thursday, August 13, 2009
###########################################
Bing.com WebmasterAuthenticationInformationPage.aspx XSS
vendor url:http://ww.bing.com
advisore:http://lostmon.blogspot.com/2009/08/
bingcom-webmasterauthenticationinformat.html
vendor notify: yes vendor confirmed:yes
###########################################

Bing search engine contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does not
validate properly 'authTag' variable upon submission to the
'WebmasterAuthenticationInformationPage.aspx' script.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server,leading to a loss of integrity.


them a attacker can compose a malformed link in the variable
from WebmasterAuthenticationInformationPage.aspx and Look the
result code , it is write in two boxes and in the file
'LiveSearchSiteAuth.xml'

A remote user can compose a malformed link in the variable
from WebmasterXMLAuthDownloadPage.aspx ,wen download file
LiveSearchSiteAuth.xml this file have the malicious code.

#########
solution:
##########

Vendor patch

#############
timeline:
#############

discovered: 18-jun-2009
vendor notified: 07-08-2009
vendor response: 07-08-2009
vendor patch response: 13-08-2009
disclosure: 13-08-2009


################ End #####################

Thnx to Microsoft Security Response Center (MSRC)
http://blogs.technet.com/msrc/
thnx to estrella to be my ligth
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente...

Internet explorer pwned Avant Browser

Monday, August 03, 2009
###########################################
Internet explorer pwned Avant Browser via
history Persistent XSS vulnerabilities
vendor url: http://www.avantbrowser.com/
Advisore: http://lostmon.blogspot.com/2009/08/
internet-explorer-pwned-avant-browser.html
vendor notify: NO exploit available: yes
############################################

#############
description
#############

Avant Browser´s user-friendly interface brings a new level
of clarity and efficiency to your browsing experience,and
frequent upgrades have steadily improved its reliability.
Avant Browser is freeware That's right. 100% Free!.

A recently vulnerability in Avant browser discovered by me
Can be exploit via history on ie8

Related Vuln =>

http://lostmon.blogspot.com/2009/07/
avant-browser-browserhome-persistent.html

###############
version tested
###############

Internet Explorer 8 (in xp home)

Avant Browser 11.7 build 35

#########
solution:
##########

Update to version 11.7 build 36
it is reported and tested that isn´t
vulnerable.

#############
timeline:
#############

discovered: 23-07-2009
disclosure: 03-08-2009

##################
testing
##################


http://lostmon.blogspot.com/2009/07/
avant-browser-browserhome-persistent.html

See this related vulnerability in avant browser.Now go
to exploit it across explorer , we know that the column
history is afected by a script insercion in browser:home
dinamicaly content.

If a user open explorer and try to navigate to a malicious
site like :
http://usuarios.lycos.es/reyfuss/id.php?id="><h1>Test html injection</h1>

For example if we Browse this url with avant browser =>
http://usuarios.lycos.es/reyfuss/id.php?id="><iframe src='http://www.google.com'></iframe>

The iframe does not executed correctly in history, but ,
close avant, browse the url with IE8 and them , open
avant browser ...the iframe now is executed correctly :D

Those url are saved in the explorer history, here is the
vulnerability, because Avant browser use IE8 web history
to show his own history in the browser:home history column,
them open avant browser and the html is executed in the history
colum and in most visited sites.

I don´t know if with the anty-xss filter in IE8 can protect
from a script attack but at this moment we can think that this
issue can have a html injection condition and a attacker can insert
a iframe...And this is other vector to attack Avant browser.

################ End #####################

thnx to estrella to be my ligth
thnx to Brink he is investigate with me.
thnx to all who day after day support me !!!
atentamente:
--
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente...

Orca Browser browser:home Persistent XSS vulnerability

Friday, July 31, 2009
###########################################
Orca Browser browser:home Persistent XSS vulnerability
vendor url: http://www.orcabrowser.com/
Advisore: http://lostmon.blogspot.com/2009/07/
orca-browser-browserhome-persistent-xss.html
vendor notify: NO exploit available: yes
############################################

#############
description
#############

Orca Browser´s user-friendly interface brings a new level
of clarity and efficiency to your browsing experience,and
frequent upgrades have steadily improved its reliability.
Avant Browser is freeware That's right. 100% Free!.

Orca Browser contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate properly the url links upon submission to the
bookmarks in browser:home page.
This could allow a user to create a specially crafted URL or a
bookmark that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server
wen try to load browser:home ,leading to a loss of integrity.

###############
version tested
###############

Avant Browser 1.2 build 2

#########
solution:
##########

Update to version 1.2. build 3
this version address this vulnerability.


#############
timeline:
#############

discovered: 23-jul-2009
disclosure: 30 jul 2009

##################
testing
##################

Demostration Video => http://www.spymac.com/details/?2417793

Open Orca Browser and by default the browser load
'browser:home' page. in this page we can view tree
columns , 1 top sites 2 history and 3 recent bookmarks.

Bookmarks column is vulnerable to a xss. let´s go
to demostrate.
I make a web page posible vulnerable to a xss condition

<?
$cmd=$_GET[id]
?>

I place a online doc for demo here =>
http://usuarios.lycos.es/reyfuss/id.php?id=

open Orca browser and navigate to

http://usuarios.lycos.es/reyfuss/id.php?id="><script>alert(1)</script>
click in bookmark Tool bar and click in new bookmark and add this url.

Load browser:home or close and open the browser , the script
is executed in bookmarks column.


################ End #####################

thnx to estrella to be my ligth
thnx to Brink he is investigate with me.
thnx to all who day after day support me !!!
atentamente:
--
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente...

Avant Browser browser:home Persistent XSS vulnerabilities

Thursday, July 30, 2009
###########################################
Avant Browser browser:home Persistent XSS vulnerabilities
vendor url: http://www.avantbrowser.com/
Advisore: http://lostmon.blogspot.com/2009/07/
avant-browser-browserhome-persistent.html
vendor notify: NO exploit available: yes
############################################

#############
description
#############

Avant Browser´s user-friendly interface brings a new level
of clarity and efficiency to your browsing experience,and
frequent upgrades have steadily improved its reliability.
Avant Browser is freeware That's right. 100% Free!.

Avant Browse contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate properly the url links upon submission to the
history, bookmarks and top sites visited in browser:home page.
This could allow a user to create a specially crafted URL or a
bookmark that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server
wen try to load browser:home ,leading to a loss of integrity.

###############
version tested
###############

Avant Browser 11.7 build 35

#########
solution:
##########

Update to version 11.7 build 36
it is reported and tested that isn´t
vulnerable.


#############
timeline:
#############

discovered: 23-jul-2009
disclosure: 30 jul 2009

##################
testing
##################

Demostration Video => http://www.spymac.com/details/?2417793
Open Avant Browser and by default the browser load
'browser:home' page. in this page we can view tree
columns , 1 top sites 2 history and 3 recent bookmarks.

All tree colums are prone vulnerables to a xss let´s go
to demostrate it in the tree cases.
I make a web page posible vulnerable to a xss condition

<?
$cmd=$_GET[id]
?>

I place a online doc for demo here =>
http://usuarios.lycos.es/reyfuss/id.php?id=

open avant browser and navigate to
http://usuarios.lycos.es/reyfuss/id.php?id="><script>alert(1)</script>
wait until load , and them close the browser
or open Browser:home URI.

The script is executed and we have two columns afected,
the first and the second.

go to tools menu and delete history ...

open avant browser and go to
http://usuarios.lycos.es/reyfuss/id.php?id="><script>alert(1)</script>

rigth click and select add bookmark and add it.

load again browser:home and the xss is executed
in bookmarks column.

So if we for example like to deny the access to
browser:home we can load =>
http://usuarios.lycos.es/reyfuss/id.php?id="><script>window.close()</script>
and wen open the broser and load browser:home on load,
the script close it.

so if we like to denial the service we can load =>
http://usuarios.lycos.es/reyfuss/id.php?id="><script>while(1)alert(1)</script>

################ End #####################

thnx to estrella to be my ligth
thnx to Brink he is investigate with me.
thnx to all who day after day support me !!!
atentamente:
--
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente...
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends