lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 10 Mar 2007 16:33:21 -0600
From: Paul Schmehl <pauls@...allas.edu>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Is OWASP vulnerable ??

--On March 10, 2007 4:51:51 PM -0500 Valdis.Kletnieks@...edu wrote:

> On Sat, 10 Mar 2007 15:15:54 CST, Paul Schmehl said:
>> Given the syntax of this function, wgBreakFrames can only have one of
>> two values: true or false.
>>
>> I'd be interested to see some POC that would show how you would exploit
>> this.
>
> The first thing to do is abuse the variable.

How?  You'd have to find some way to inject code into the javascript 
"stream".  If you can inject code into the site, it won't be because that 
variable exists.  It will be because something else isn't properly 
evaluating input.

 In addition to true and
> false, try 3, 0 , -37, "Cabbage", and maybe "true) and
> (my_evil_function()))". See if you can force it to throw a syntax error
> that creates a 404 page or something that contains *other* input you
> control, especially if it finds its way to an eval().
>
Even if this is true, all you would have then is an information disclosure 
that might lead to some other compromise path.  But all the code is 
already available to the attacker, so he/she ought to be able to read the 
code and find the exploitable condition without doing all that extra work.

Paul Schmehl (pauls@...allas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Content of type "application/pkcs7-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ