[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <46229760.6010301@katamail.com>
Date: Sun, 15 Apr 2007 23:21:36 +0200
From: ascii <ascii@...amail.com>
To: Michal Majchrowicz <m.majchrowicz@...il.com>
Cc: vulnwatch@...nwatch.org, vulndiscuss@...nwatch.org,
bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Cross Domain XMLHttpRequest
Michal Majchrowicz wrote:
> Due to "security reasons" many Web Browsers doesn't allow cross
> domain XMLHttpRequests.
[..]
hi Michal, personally i don't get your point (to me it seems just
an hybrid implementation using both server side and client side
scripting) but i'm sure you can better explain your intents
from what i saw it asks a php page to make an http query to the foreign
domain and then display back the page contents using js
so i suppose this is not a vulnerability at all, just an implementation
to (??) pass to javascript remote contents fetched using a machine !=
from the client/browser/whenether
anyway your implementation is a bit flawed
http://sectroyer.110mb.com/myhttp.php?url=file://myhttp.php&method=get
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
<?php
if(isset($_GET['url'])==true)
{
$curl=curl_init();
curl_setopt($curl,CURLOPT_COOKIE,$_GET['cookie']);
curl_setopt($curl,CURLOPT_URL,rawurldecode($_GET['url']));
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
if(($_GET['method']=="post") && (isset($_GET['vars'])==true))
{
$vars=rawurldecode($_GET['vars']);
curl_setopt($curl,CURLOPT_POSTFIELDS,$vars);
}
$tmp=curl_exec($curl);
curl_close($curl);
echo "myglobalcallback(\"".rawurlencode($tmp)."\");";
}
?>
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
this is basically a proxy, it can make get/post requests to http
only hosts, saturate the server bandwidth *PLUS* naturally fetch any
local file : )
http://sectroyer.110mb.com/myhttp.php?url=file:///etc/passwd&method=get
please correct me if i misunderstood
best regards,
Francesco `ascii` Ongaro
http://www.ush.it/
Powered by blists - more mailing lists