[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Trigerring Java code from a SVG image

To: Dan Kaminsky <dan@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] Trigerring Java code from a SVG image
From: Krzysztof Kotowicz <kkotowicz+fd@xxxxxxxxx>
Date: Wed, 16 May 2012 15:16:52 +0200

Kind of. You can still do some stuff from <img> in Opera.
http://kotowicz.net/opera/

On Wed, May 16, 2012 at 12:25 PM, Dan Kaminsky <dan@xxxxxxxxxxx> wrote:
> Anything from <img> in any browser?
>
>
> On Wed, May 16, 2012 at 2:25 AM, Michele Orru <antisnatchor@xxxxxxxxx>
> wrote:
>>
>> Mario Heiderich did a lot of research on that, he found so many bugs
>> that allowed
>> to embed Javascript in SVG images.
>>
>> Nice stuff Nick btw,
>>
>> Cheers
>> antisnatchor
>>
>> On Wed, May 16, 2012 at 10:13 AM, Dan Kaminsky <dan@xxxxxxxxxxx> wrote:
>> > Yeah, there's a bunch of wild stuff in SVG.  The browsers ignore most of
>> > it,
>> > AFAIK.  I think Firefox is the only browser to even consider
>> > ForeignObjects
>> > (which let you throw HTML back into SVG).
>> >
>> > Probably the most interesting SVG thing is how they either do or don't
>> > have
>> > script access, depending on whether or not they're loaded as <img>'s.
>> >  It
>> > would be problematic indeed if <img src="foo.jpg"> could suddenly render
>> > script!
>> >
>> >
>> > On Tue, May 15, 2012 at 5:07 AM, Nicolas Grégoire
>> > <nicolas.gregoire@xxxxxxxxx> wrote:
>> >>
>> >> Hello,
>> >>
>> >> SVG is a XML-based file format for static or animated images. Some SVG
>> >> specifications (like  SVG 1.1 and SVG Tiny 1.2) allow to trigger some
>> >> Java code when the SVG file is opened.
>> >>
>> >> Given that I had to look at these features for a customer, I developed
>> >> some PoC codes which are now available online:
>> >> http://www.agarri.fr/docs/batik-evil.svg
>> >> http://www.agarri.fr/docs/batik-evil.jar
>> >>
>> >> I published a more detailed article on my blog:
>> >> http://www.agarri.fr/blog/
>> >>
>> >> Regards,
>> >> Nicolas Grégoire / @Agarri_FR
>> >>
>> >> _______________________________________________
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >
>> >
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>> --
>> /antisnatchor
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Trigerring Java code from a SVG image
  - From: Nicolas Grégoire
- Re: [Full-disclosure] Trigerring Java code from a SVG image
  - From: Dan Kaminsky
- Re: [Full-disclosure] Trigerring Java code from a SVG image
  - From: Michele Orru
- Re: [Full-disclosure] Trigerring Java code from a SVG image
  - From: Dan Kaminsky

Prev by Date: Re: [Full-disclosure] Trigerring Java code from a SVG image
Next by Date: [Full-disclosure] Video tutorial: Stack-Based Buffer Overflow
Previous by thread: Re: [Full-disclosure] Trigerring Java code from a SVG image
Next by thread: Re: [Full-disclosure] Trigerring Java code from a SVG image
Index(es):
- Date
- Thread