lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAAOnDKfuMfjyyOA2dO2e2L_VhSmMWDQ6v0HhbVzfQgb9jzB3Bw@mail.gmail.com>
Date: Thu, 17 May 2012 09:43:49 +0100
From: Michele Orru <antisnatchor@...il.com>
To: Nicolas Grégoire <nicolas.gregoire@...rri.fr>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Trigerring Java code from a SVG image

Nice one.
I thought behaviors like these were already fixed, but
I was wrong :D

Certainly something to add to BeEF.
Pity I will not be at HITB.

Cheers
antisnatchor
On Wed, May 16, 2012 at 6:29 PM, Nicolas Grégoire
<nicolas.gregoire@...rri.fr> wrote:
>
>> Uploading a SVG chameleon (SVG file triggering a XSLT
>> transformation) to a website allows to display nearly arbitrary
>> content if the file is called directly.
>
> In order to demonstrate this point _and_ the weird Opera behavior, I put
> online a SVG chameleon and a HTML file calling it via <img>:
> http://www.agarri.fr/docs/svg2html.svg
> http://www.agarri.fr/docs/svg2html.html
>
> If the chameleon is called directly, Opera, Firefox and Webkit (IE
> untested) execute the HTML Javascript code located in the output
> document. Look at the DOM, there's no more reference to the source SVG
> file anymore.
>
> If the chameleon is called via <img>, only Opera renders the HTML output
> (without executing the Javascript). I didn't test if the inter-documents
> behavior is similar to the (i)frames one ... Screen-shot:
> http://www.agarri.fr/docs/opera-chameleon.png
>
> <shameless advertising>I'll demonstrate some additional XML/XSLT/SVG/...
> tricks at Hack in the Box Amsterdam next week</shameless advertising>
>
> Nicolas
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



-- 
/antisnatchor

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists