-
Archives
- November 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- September 2007
- April 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- April 2006
- August 2005
- April 2005
- March 2005
- March 2004
-
Meta
Category Archives: advisory
Advisory: Certain domain names could allow execution of arbitrary code in Opera
Opera released 10.01 recently, which fixed a memory corruption issue found with Casaba’s IDN/URI fuzzer. http://www.opera.com/support/kb/view/938/
Advisory: Webkit – Visiting a maliciously crafted website may lead to a cross-site scripting attack
More from: http://support.apple.com/kb/HT3613 CVE-ID: CVE-2006-2783 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista Impact: Visiting a maliciously crafted website may lead to a cross-site … Continue reading
Advisory: International Components for Unicode – Maliciously crafted content may bypass website filters and result in cross-site scripting
Update from: http://support.apple.com/kb/HT3613 CVE-ID: CVE-2009-0153 Available for: Windows XP or Vista Impact: Maliciously crafted content may bypass website filters and result in cross-site scripting Description: An implementation issue exists in ICU’s handling of certain character encodings. Using ICU to convert … Continue reading
Advisory: International Components for Unicode CVE-2009-0153
Big ones from Apple today: http://support.apple.com/kb/HT3549 CVE-ID: CVE-2009-0153 Available for: Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6 Impact: Maliciously crafted content may bypass website filters and result in cross-site scripting Description: An implementation issue … Continue reading
Advisory: Lenovo/IBM ActiveX buffer overflow
CERT released the advisory for this, which I believe is not being fixed by Lenovo/IBM. http://www.kb.cert.org/vuls/id/340420 This ActiveX control comes preinstalled on many Lenovo systems, and is also downloaded from the main page of their support site. It’s a nasty … Continue reading
Advisory: Adobe Air 1.1 JavaScript execution security vulnerability
Adobe released a patch and bulletin for an issue I reported back in May. The issue is really in WebKit, and many products seem to be affected. A vulnerability has been identified in Adobe AIR 1.1 and earlier that could … Continue reading
Posted in JavaScript, Unicode, advisory, cross site scripting, testing
Tagged advisory, JavaScript, XSS
Leave a comment
Advisory: BOM’ing Firefox’s Javascript Interpreter
Damage: Filter evasion, cross-site scripting Exploit: Insert Unicode byte order mark (BOM) U+FEFF into javascript statements to bypass filters. Root Cause: character absorption/swallowing Product version: Firefox 3.01 and earlier Link to Mozilla advisory: http://www.mozilla.org/security/announce/2008/mfsa2008-43.html Well admittedly this one seems to … Continue reading
Protected: Advisory: Browser BOM’ing for XSS
There is no excerpt because this is a protected post.
Posted in Unicode, advisory, browser, cross site scripting
Tagged advisory, cross site scripting, Unicode
Enter your password to view comments.
Advisory: Attack of the Mongolian space evaders! (and other Medieval XSS vectors)
Damage: Filter evasion, cross-site scripting Exploit: Bypass XSS filters, IPS/IDS, AV, or WAF’s with specially crafted white_space characters to execute XSS attacks. Root Cause: Interpreting syntax replacements Product Version: Opera 9.51 and earlier Or should we call this “Druidic magical … Continue reading