Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Cross Application Scripting 4 (Even more browsers belong to us)
Posted by: nmcfeters
Date: July 26, 2007 03:17AM

The URI issues continue to pile up at this point. After I saw Thor's post on Seamonkey, I figured it's probably vulnerable to some other issues as well, so I gave it a shot. It's vulnerable to a command injection thru the telnet protocol (and probably others as well), which can be demonstrated with the following link:

telnet:%00%00../../../../../../windows/system32/cmd".exe ../../../../../../../../windows/system32/calc.exe " - " blah.bat

Of course, as previously mentioned on the xs-sniper blog, this entire string is not needed, it's just what we've been testing with and it's 3am and I can't be bothered to shorten it at this point.

Additionally, the Nvu (browser? editor?) is vulnerable to the same style of command injection attacks referenced for Firefox; however, I'm not sure exactly how you would go about attacking it... it really requires the user to right-click on a link and say edit in new tab or something of the like, but it will trigger the vulnerability.

I'm personally not all that interested in taking the Nvu flaw further, but someone who knows more about it may be able to create a more useful exploit.

--Nate

Options: ReplyQuote


Sorry, only registered users may post in this forum.