[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Cross Domain XMLHttpRequest

To: ascii <ascii@xxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Cross Domain XMLHttpRequest
From: "Michal Majchrowicz" <m.majchrowicz@xxxxxxxxx>
Date: Sun, 15 Apr 2007 22:33:26 +0200

Hi.
Thanks for showing this vulnerability :) In fact it was not supposed
to be safe, but now it shoud be :) You are right this is not a
vulnerability by itself but it gives an attacker a very usefull tool
for attackers/trojans to perform Real Time Attacks on users browser.
Regards Michal.

On 4/15/07, ascii <ascii@xxxxxxxxxxxx> wrote:
> Michal Majchrowicz wrote:
> > Due to "security reasons" many Web Browsers doesn't allow cross
> > domain XMLHttpRequests.
>
> [..]
>
> hi Michal, personally i don't get your point (to me it seems just
> an hybrid implementation using both server side and client side
> scripting) but i'm sure you can better explain your intents
>
> from what i saw it asks a php page to make an http query to the foreign
> domain and then display back the page contents using js
>
> so i suppose this is not a vulnerability at all, just an implementation
> to (??) pass to javascript remote contents fetched using a machine !=
> from the client/browser/whenether
>
> anyway your implementation is a bit flawed
>
> http://sectroyer.110mb.com/myhttp.php?url=file://myhttp.php&method=get
>
> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
>
> <?php
> if(isset($_GET['url'])==true)
> {
> $curl=curl_init();
> curl_setopt($curl,CURLOPT_COOKIE,$_GET['cookie']);
> curl_setopt($curl,CURLOPT_URL,rawurldecode($_GET['url']));
> curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
> if(($_GET['method']=="post") && (isset($_GET['vars'])==true))
> {
> $vars=rawurldecode($_GET['vars']);
> curl_setopt($curl,CURLOPT_POSTFIELDS,$vars);
> }
> $tmp=curl_exec($curl);
> curl_close($curl);
> echo "myglobalcallback(\"".rawurlencode($tmp)."\");";
> }
> ?>
>
> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
>
> this is basically a proxy, it can make get/post requests to http
> only hosts, saturate the server bandwidth *PLUS* naturally fetch any
> local file : )
>
> http://sectroyer.110mb.com/myhttp.php?url=file:///etc/passwd&method=get
>
> please correct me if i misunderstood
>
> best regards,
> Francesco `ascii` Ongaro
> http://www.ush.it/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Cross Domain XMLHttpRequest
  - From: Stefan Esser

References:
- [Full-disclosure] Cross Domain XMLHttpRequest
  - From: Michal Majchrowicz
- Re: [Full-disclosure] Cross Domain XMLHttpRequest
  - From: ascii

Prev by Date: Re: [Full-disclosure] Cross Domain XMLHttpRequest
Next by Date: Re: [Full-disclosure] Cross Domain XMLHttpRequest
Previous by thread: Re: [Full-disclosure] Cross Domain XMLHttpRequest
Next by thread: Re: [Full-disclosure] Cross Domain XMLHttpRequest
Index(es):
- Date
- Thread