lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <46229760.6010301@katamail.com>
Date: Sun, 15 Apr 2007 23:21:36 +0200
From: ascii <ascii@...amail.com>
To: Michal Majchrowicz <m.majchrowicz@...il.com>
Cc: vulndiscuss@...nwatch.org, vulnwatch@...nwatch.org,
	bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: Cross Domain XMLHttpRequest

Michal Majchrowicz wrote:
> Due to "security reasons" many Web Browsers doesn't allow cross
> domain XMLHttpRequests.

[..]

hi Michal, personally i don't get your point (to me it seems just
an hybrid implementation using both server side and client side
scripting) but i'm sure you can better explain your intents

from what i saw it asks a php page to make an http query to the foreign
domain and then display back the page contents using js

so i suppose this is not a vulnerability at all, just an implementation
to (??) pass to javascript remote contents fetched using a machine !=
from the client/browser/whenether

anyway your implementation is a bit flawed

http://sectroyer.110mb.com/myhttp.php?url=file://myhttp.php&method=get

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

<?php
if(isset($_GET['url'])==true)
{
$curl=curl_init();
curl_setopt($curl,CURLOPT_COOKIE,$_GET['cookie']);
curl_setopt($curl,CURLOPT_URL,rawurldecode($_GET['url']));
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
if(($_GET['method']=="post") && (isset($_GET['vars'])==true))
{
$vars=rawurldecode($_GET['vars']);
curl_setopt($curl,CURLOPT_POSTFIELDS,$vars);
}
$tmp=curl_exec($curl);
curl_close($curl);
echo "myglobalcallback(\"".rawurlencode($tmp)."\");";
}
?>

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

this is basically a proxy, it can make get/post requests to http
only hosts, saturate the server bandwidth *PLUS* naturally fetch any
local file : )

http://sectroyer.110mb.com/myhttp.php?url=file:///etc/passwd&method=get

please correct me if i misunderstood

best regards,
Francesco `ascii` Ongaro
http://www.ush.it/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ