lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 16 May 2012 15:16:52 +0200
From: Krzysztof Kotowicz <kkotowicz+fd@...il.com>
To: Dan Kaminsky <dan@...para.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Trigerring Java code from a SVG image

Kind of. You can still do some stuff from <img> in Opera.
http://kotowicz.net/opera/

On Wed, May 16, 2012 at 12:25 PM, Dan Kaminsky <dan@...para.com> wrote:
> Anything from <img> in any browser?
>
>
> On Wed, May 16, 2012 at 2:25 AM, Michele Orru <antisnatchor@...il.com>
> wrote:
>>
>> Mario Heiderich did a lot of research on that, he found so many bugs
>> that allowed
>> to embed Javascript in SVG images.
>>
>> Nice stuff Nick btw,
>>
>> Cheers
>> antisnatchor
>>
>> On Wed, May 16, 2012 at 10:13 AM, Dan Kaminsky <dan@...para.com> wrote:
>> > Yeah, there's a bunch of wild stuff in SVG.  The browsers ignore most of
>> > it,
>> > AFAIK.  I think Firefox is the only browser to even consider
>> > ForeignObjects
>> > (which let you throw HTML back into SVG).
>> >
>> > Probably the most interesting SVG thing is how they either do or don't
>> > have
>> > script access, depending on whether or not they're loaded as <img>'s.
>> >  It
>> > would be problematic indeed if <img src="foo.jpg"> could suddenly render
>> > script!
>> >
>> >
>> > On Tue, May 15, 2012 at 5:07 AM, Nicolas Grégoire
>> > <nicolas.gregoire@...rri.fr> wrote:
>> >>
>> >> Hello,
>> >>
>> >> SVG is a XML-based file format for static or animated images. Some SVG
>> >> specifications (like  SVG 1.1 and SVG Tiny 1.2) allow to trigger some
>> >> Java code when the SVG file is opened.
>> >>
>> >> Given that I had to look at these features for a customer, I developed
>> >> some PoC codes which are now available online:
>> >> http://www.agarri.fr/docs/batik-evil.svg
>> >> http://www.agarri.fr/docs/batik-evil.jar
>> >>
>> >> I published a more detailed article on my blog:
>> >> http://www.agarri.fr/blog/
>> >>
>> >> Regards,
>> >> Nicolas Grégoire / @Agarri_FR
>> >>
>> >> _______________________________________________
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >
>> >
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>> --
>> /antisnatchor
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ