lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: se_cur_ity at hotmail.com (Hotmail)
Subject: XSS Flaw in Tryit Editor v1.3

SECURITY VUNERABILITY ANOUNCEMENT - SECURITY VUNERABILITY ANOUNCEMENT

"0day - yourway"

04/17/2003
Morning Wood Inc.
se_cur_ity@...mail.com
http://take.candyfrom.us
http://exploit.wox.org

SECURITY VUNERABILITY ANOUNCEMENT - SECURITY VUNERABILITY ANOUNCEMENT

HTML Version is here http://exploit.wox.org/thecore/tryit13flaw.html



Vendor:
UNKNOWN ??? W3Schools.com ???

Package:
Try It 1.3 ( im sure other versions are flawed as well )

Description:
Try It 1.3 is an online HTML/PHP/XML Editor and script testing tool.


First... The info:

reference: http://www.w3schools.com/html/tryit.asp?filename=tryhtml_iframe

Rather funny.. I dont realy know that much about web-scripting etc,


The Bad:

 I was looking for refrences to HTML and wound up at http://w3schools.com
and their neat online html tool
"Try It 1.3". Upon browsing to the iframe section I noticed a funny thing...
Displayed to the right was
the renderd version of the raw html on the left.. an iframe example, the
iframe is pointed to "default.asp",
which is obviously running under the context of the webserver as there is no
preceding . or /
 I tried (1st time by the way) to replace default.asp with a guessed
filename "test.asp". BINGO
a perfect iframe of a color test strip.


Now the really, really, bad:

 Try It 1.3 at http://4arrow.com/test/t/editor.php - This site was simply
"Googled" via "Tryit Editor v1.3"
Apears to use a cookie to recall your last input.. anyway
I played with this not really trying anything, as it to exhibited the same
flaw.

But..

 Note the Section that says..

 Filename: (new name = new file)

as well as the "Delete" checkbox

  Sure enough it let me create a file and load it. My 9yo son was in the
room as I was
showing him this "new" cool WISYWIG editor and we made a "christian.htm"
file and that was
 cool for him to play with, eventualy we closed the page and ate dinner.
Later I returned to the site to examine some examples and I was shocked to
see "christian.htm" in the load box.
Yes folks it saves, and saves sweetly it does as evidenced by... get ready..
this directory...
http://4arrow.com/test/t/
then...
http://4arrow.com/test/t/data/tpl/
and obviously..
http://4arrow.com/test/t/data/tpl/christian.htm christian.htm ( our "new"
file )

OOPS ( not good )


Now... as a test on known? exploit code,
I tested this:

http://4arrow.com/test/t/data/tpl/hmm.htm
containing...

<object id="test"
       data="#"
       width="100%" height="100%"
       type="text/x-scriptlet"
       VIEWASTEXT></object>



and was just flabergasted...


note: the vendor has not been notified as of this date nor can I determine
the exact originating author.





?morning_wood 04/17/2003

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ