Full Disclosure mailing list archives
XSS Flaw in Tryit Editor v1.3
From: "Hotmail" <se_cur_ity () hotmail com>
Date: Fri, 18 Apr 2003 13:28:52 -0700
SECURITY VUNERABILITY ANOUNCEMENT - SECURITY VUNERABILITY ANOUNCEMENT "0day - yourway" 04/17/2003 Morning Wood Inc. se_cur_ity () hotmail com http://take.candyfrom.us http://exploit.wox.org SECURITY VUNERABILITY ANOUNCEMENT - SECURITY VUNERABILITY ANOUNCEMENT HTML Version is here http://exploit.wox.org/thecore/tryit13flaw.html Vendor: UNKNOWN ??? W3Schools.com ??? Package: Try It 1.3 ( im sure other versions are flawed as well ) Description: Try It 1.3 is an online HTML/PHP/XML Editor and script testing tool. First... The info: reference: http://www.w3schools.com/html/tryit.asp?filename=tryhtml_iframe Rather funny.. I dont realy know that much about web-scripting etc, The Bad: I was looking for refrences to HTML and wound up at http://w3schools.com and their neat online html tool "Try It 1.3". Upon browsing to the iframe section I noticed a funny thing... Displayed to the right was the renderd version of the raw html on the left.. an iframe example, the iframe is pointed to "default.asp", which is obviously running under the context of the webserver as there is no preceding . or / I tried (1st time by the way) to replace default.asp with a guessed filename "test.asp". BINGO a perfect iframe of a color test strip. Now the really, really, bad: Try It 1.3 at http://4arrow.com/test/t/editor.php - This site was simply "Googled" via "Tryit Editor v1.3" Apears to use a cookie to recall your last input.. anyway I played with this not really trying anything, as it to exhibited the same flaw. But.. Note the Section that says.. Filename: (new name = new file) as well as the "Delete" checkbox Sure enough it let me create a file and load it. My 9yo son was in the room as I was showing him this "new" cool WISYWIG editor and we made a "christian.htm" file and that was cool for him to play with, eventualy we closed the page and ate dinner. Later I returned to the site to examine some examples and I was shocked to see "christian.htm" in the load box. Yes folks it saves, and saves sweetly it does as evidenced by... get ready.. this directory... http://4arrow.com/test/t/ then... http://4arrow.com/test/t/data/tpl/ and obviously.. http://4arrow.com/test/t/data/tpl/christian.htm christian.htm ( our "new" file ) OOPS ( not good ) Now... as a test on known? exploit code, I tested this: http://4arrow.com/test/t/data/tpl/hmm.htm containing... <object id="test" data="#" width="100%" height="100%" type="text/x-scriptlet" VIEWASTEXT></object> and was just flabergasted... note: the vendor has not been notified as of this date nor can I determine the exact originating author. ©morning_wood 04/17/2003 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Another credit card scam, site appears to still be active Blue Boar (Apr 18)
- XSS Flaw in Tryit Editor v1.3 Hotmail (Apr 18)
- Re: Another credit card scam, site appears to still be active Hotmail (Apr 18)
- RE: Another credit card scam, site appears to still be active Dan Clements (Apr 18)