| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1337189351.23706.188.camel@new-desktop> Date: Wed, 16 May 2012 19:29:11 +0200 From: Nicolas Grégoire <nicolas.gregoire@...rri.fr> To: full-disclosure@...ts.grok.org.uk Subject: Re: Trigerring Java code from a SVG image > Uploading a SVG chameleon (SVG file triggering a XSLT > transformation) to a website allows to display nearly arbitrary > content if the file is called directly. In order to demonstrate this point _and_ the weird Opera behavior, I put online a SVG chameleon and a HTML file calling it via <img>: http://www.agarri.fr/docs/svg2html.svg http://www.agarri.fr/docs/svg2html.html If the chameleon is called directly, Opera, Firefox and Webkit (IE untested) execute the HTML Javascript code located in the output document. Look at the DOM, there's no more reference to the source SVG file anymore. If the chameleon is called via <img>, only Opera renders the HTML output (without executing the Javascript). I didn't test if the inter-documents behavior is similar to the (i)frames one ... Screen-shot: http://www.agarri.fr/docs/opera-chameleon.png <shameless advertising>I'll demonstrate some additional XML/XSLT/SVG/... tricks at Hack in the Box Amsterdam next week</shameless advertising> Nicolas _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists