2014-03-14 20:28 GMT+01:00 Nicholas Lemonias. :
> Then that also means that firewalls and IPS systems are worthless. Why
> spend so much time protecting the network layers if a user can send any
> file of choice to a remote network through http...
>
No, they are not worthless per se, but of cours
n't make the bug to go away.
>
> Best,
>
> Nicholas.
>
>
> On Fri, Mar 14, 2014 at 7:01 PM, Krzysztof Kotowicz <
> kkotowicz...@gmail.com> wrote:
>
>> Nicholas, seriously, just stop.
>>
>> You have found an 'arbitrary file upload' i
Nicholas, seriously, just stop.
You have found an 'arbitrary file upload' in a file hosting service and
claim it is a serious vulnerability. With no proof that your 'arbitrary
file' is being used anywhere in any context that would lead to code
execution - on server or client side. You cite OWASP d
ertain conditions, ends up in location.href
assignment, triggering JS execution.
Proof of Concept
http://domain/example/bridge.html"; onload="document.getElementById('f'
).src=
'http://domain/name.html#_3constructor,javascript:alert(document.domain)//
redits
=
- Slawomir Jasek ``
- Krzysztof Kotowicz ``
Dates
=
- 18.11.2013 - Vendor disclosure
- 21.11.2013 - Additional vulnerabilities found & reported to vendor
- 21.11.2013 - Vendor acknowledges the report, "no further details to
share"
- 06.12.1013 - Query ab
l inject log=true FlashVars
parameter, which, combined with first vulnerability will trigger script
execution in jsbin.com domain.
http://jsbin.com&log=true&a=@
jsbin.com/UMUHOgo/1?#xdm_e=https%3A%2F%2Floscalhost&xdm_c=default7059&xdm_p=6&xdm_s=j%5C%22-alerssst(2)))%7Dcatch(e)
ctly as inserted (is there a antiCSRF token
needed for the search request) and only then is the payload executed.
During this scenario user knowingly sees & uses Javascript code twice -
that's hardly low interaction.
Unless I'm missing something - is there a cross-account action goin
lean() function.
It's based on multiple blacklists and will therefore unavoidably be
bypassable in the future. For input filtering, use HTMLPurifier (
http://htmlpurifier.org/ ) instead.
Credits
==
Vulnerability found by Krzysztof Kotowicz
http://blog.kotowicz.net
Timeline
===
2012.03
Kind of. You can still do some stuff from in Opera.
http://kotowicz.net/opera/
On Wed, May 16, 2012 at 12:25 PM, Dan Kaminsky wrote:
> Anything from in any browser?
>
>
> On Wed, May 16, 2012 at 2:25 AM, Michele Orru
> wrote:
>>
>> Mario Heiderich did a lot of research on that, he found so man