[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Law11-OE66siRWIh0xz00003736@hotmail.com>
From: se_cur_ity at hotmail.com (Hotmail)
Subject: XSS Flaw in Tryit Editor v1.3
SECURITY VUNERABILITY ANOUNCEMENT - SECURITY VUNERABILITY ANOUNCEMENT
"0day - yourway"
04/17/2003
Morning Wood Inc.
se_cur_ity@...mail.com
http://take.candyfrom.us
http://exploit.wox.org
SECURITY VUNERABILITY ANOUNCEMENT - SECURITY VUNERABILITY ANOUNCEMENT
HTML Version is here http://exploit.wox.org/thecore/tryit13flaw.html
Vendor:
UNKNOWN ??? W3Schools.com ???
Package:
Try It 1.3 ( im sure other versions are flawed as well )
Description:
Try It 1.3 is an online HTML/PHP/XML Editor and script testing tool.
First... The info:
reference: http://www.w3schools.com/html/tryit.asp?filename=tryhtml_iframe
Rather funny.. I dont realy know that much about web-scripting etc,
The Bad:
I was looking for refrences to HTML and wound up at http://w3schools.com
and their neat online html tool
"Try It 1.3". Upon browsing to the iframe section I noticed a funny thing...
Displayed to the right was
the renderd version of the raw html on the left.. an iframe example, the
iframe is pointed to "default.asp",
which is obviously running under the context of the webserver as there is no
preceding . or /
I tried (1st time by the way) to replace default.asp with a guessed
filename "test.asp". BINGO
a perfect iframe of a color test strip.
Now the really, really, bad:
Try It 1.3 at http://4arrow.com/test/t/editor.php - This site was simply
"Googled" via "Tryit Editor v1.3"
Apears to use a cookie to recall your last input.. anyway
I played with this not really trying anything, as it to exhibited the same
flaw.
But..
Note the Section that says..
Filename: (new name = new file)
as well as the "Delete" checkbox
Sure enough it let me create a file and load it. My 9yo son was in the
room as I was
showing him this "new" cool WISYWIG editor and we made a "christian.htm"
file and that was
cool for him to play with, eventualy we closed the page and ate dinner.
Later I returned to the site to examine some examples and I was shocked to
see "christian.htm" in the load box.
Yes folks it saves, and saves sweetly it does as evidenced by... get ready..
this directory...
http://4arrow.com/test/t/
then...
http://4arrow.com/test/t/data/tpl/
and obviously..
http://4arrow.com/test/t/data/tpl/christian.htm christian.htm ( our "new"
file )
OOPS ( not good )
Now... as a test on known? exploit code,
I tested this:
http://4arrow.com/test/t/data/tpl/hmm.htm
containing...
<object id="test"
data="#"
width="100%" height="100%"
type="text/x-scriptlet"
VIEWASTEXT></object>
and was just flabergasted...
note: the vendor has not been notified as of this date nor can I determine
the exact originating author.
?morning_wood 04/17/2003
Powered by blists - more mailing lists