lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 16 May 2012 10:25:29 +0100
From: Michele Orru <antisnatchor@...il.com>
To: Dan Kaminsky <dan@...para.com>
Cc: full-disclosure@...ts.grok.org.uk,
	Nicolas Grégoire <nicolas.gregoire@...rri.fr>
Subject: Re: Trigerring Java code from a SVG image

Mario Heiderich did a lot of research on that, he found so many bugs
that allowed
to embed Javascript in SVG images.

Nice stuff Nick btw,

Cheers
antisnatchor

On Wed, May 16, 2012 at 10:13 AM, Dan Kaminsky <dan@...para.com> wrote:
> Yeah, there's a bunch of wild stuff in SVG.  The browsers ignore most of it,
> AFAIK.  I think Firefox is the only browser to even consider ForeignObjects
> (which let you throw HTML back into SVG).
>
> Probably the most interesting SVG thing is how they either do or don't have
> script access, depending on whether or not they're loaded as <img>'s.  It
> would be problematic indeed if <img src="foo.jpg"> could suddenly render
> script!
>
>
> On Tue, May 15, 2012 at 5:07 AM, Nicolas Grégoire
> <nicolas.gregoire@...rri.fr> wrote:
>>
>> Hello,
>>
>> SVG is a XML-based file format for static or animated images. Some SVG
>> specifications (like  SVG 1.1 and SVG Tiny 1.2) allow to trigger some
>> Java code when the SVG file is opened.
>>
>> Given that I had to look at these features for a customer, I developed
>> some PoC codes which are now available online:
>> http://www.agarri.fr/docs/batik-evil.svg
>> http://www.agarri.fr/docs/batik-evil.jar
>>
>> I published a more detailed article on my blog:
>> http://www.agarri.fr/blog/
>>
>> Regards,
>> Nicolas Grégoire / @Agarri_FR
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



-- 
/antisnatchor

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ