| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 15 Apr 2007 22:33:26 +0200
From: "Michal Majchrowicz" <m.majchrowicz@...il.com>
To: ascii <ascii@...amail.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Cross Domain XMLHttpRequest
Hi.
Thanks for showing this vulnerability :) In fact it was not supposed
to be safe, but now it shoud be :) You are right this is not a
vulnerability by itself but it gives an attacker a very usefull tool
for attackers/trojans to perform Real Time Attacks on users browser.
Regards Michal.
On 4/15/07, ascii <ascii@...amail.com> wrote:
> Michal Majchrowicz wrote:
> > Due to "security reasons" many Web Browsers doesn't allow cross
> > domain XMLHttpRequests.
>
> [..]
>
> hi Michal, personally i don't get your point (to me it seems just
> an hybrid implementation using both server side and client side
> scripting) but i'm sure you can better explain your intents
>
> from what i saw it asks a php page to make an http query to the foreign
> domain and then display back the page contents using js
>
> so i suppose this is not a vulnerability at all, just an implementation
> to (??) pass to javascript remote contents fetched using a machine !=
> from the client/browser/whenether
>
> anyway your implementation is a bit flawed
>
> http://sectroyer.110mb.com/myhttp.php?url=file://myhttp.php&method=get
>
> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
>
> <?php
> if(isset($_GET['url'])==true)
> {
> $curl=curl_init();
> curl_setopt($curl,CURLOPT_COOKIE,$_GET['cookie']);
> curl_setopt($curl,CURLOPT_URL,rawurldecode($_GET['url']));
> curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
> if(($_GET['method']=="post") && (isset($_GET['vars'])==true))
> {
> $vars=rawurldecode($_GET['vars']);
> curl_setopt($curl,CURLOPT_POSTFIELDS,$vars);
> }
> $tmp=curl_exec($curl);
> curl_close($curl);
> echo "myglobalcallback(\"".rawurlencode($tmp)."\");";
> }
> ?>
>
> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
>
> this is basically a proxy, it can make get/post requests to http
> only hosts, saturate the server bandwidth *PLUS* naturally fetch any
> local file : )
>
> http://sectroyer.110mb.com/myhttp.php?url=file:///etc/passwd&method=get
>
> please correct me if i misunderstood
>
> best regards,
> Francesco `ascii` Ongaro
> http://www.ush.it/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists