Cross-browser Code Execution via XSS

2008-12-03T00:00:00

Description

Hello 3APA3A! Recently I wrote about cross-browser Code Execution via XSS attack (http://websecurity.com.ua/2638/). Earlier I wrote you about Code Execution via XSS in Internet Explorer (http://securityvulns.ru/Udocument911.html). In this article I told about Code Execution attack via IE via Cross-Site Scripting vulnerability in Opera (http://websecurity.com.ua/2555/), which I disclosed in October 2008. The attack works when web page was saved in Opera as Web Archive file with name .htm (.html) at user's computer and then it was opened in IE. This technique can be used for bypassing of different proxies and firewalls, which analyze content of web pages for malicious code (because attacking code appears in the page already after saving). And also can be used for bypassing of antiviruses. Code Execution: http://site/?--%3E%3Cscript%3Ec=new%20ActiveXObject('WScript.Shell');c.Run('calc.exe');%3C/script%3E For making of hidden attack the iframe can be used: <iframe src="http://site/?--%3E%3Cscript%3Ec=new%20ActiveXObject('WScript.Shell');c.Run('calc.exe');%3C/script%3E" height="0" width="0"></iframe> Unlike previous attack (which occurs only via IE), this cross-browser attack works in IE even without turned on option “Initialize and script ActiveX control not marked as safe”. Vulnerable is version Opera 9.52 and previous versions (and potentially next versions). Code execution occurs in any version of Internet Explorer (IE6 and IE7). Similar attack also can be made in browser Google Chrome - via Cross-Site Scripting vulnerability in Google Chrome (http://websecurity.com.ua/2505/). Only in Chrome it's needed to save web page not as Web Archive, but the same as in IE, save as Web Page, complete. But only in old versions (Chrome <= 0.2.149.30), because in versions starting with Chrome 0.3.154.9 this XSS was fixed already. These XSS vulnerabilities in Opera and Chrome belong to Saved XSS type (http://websecurity.com.ua/2641/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua

{"id": "SECURITYVULNS:DOC:20941", "bulletinFamily": "software", "title": "Cross-browser Code Execution via XSS", "description": "Hello 3APA3A!\r\n\r\nRecently I wrote about cross-browser Code Execution via XSS attack (http://websecurity.com.ua/2638/). Earlier I wrote you about Code Execution via XSS in Internet Explorer (http://securityvulns.ru/Udocument911.html).\r\n\r\nIn this article I told about Code Execution attack via IE via Cross-Site Scripting vulnerability in Opera (http://websecurity.com.ua/2555/), which I disclosed in October 2008.\r\n\r\nThe attack works when web page was saved in Opera as Web Archive file with name .htm (.html) at user's computer and then it was opened in IE. This technique can be used for bypassing of different proxies and firewalls, which analyze content of web pages for malicious code (because attacking code appears in the page already after saving). And also can be used for bypassing of antiviruses.\r\n\r\nCode Execution:\r\n\r\nhttp://site/?--%3E%3Cscript%3Ec=new%20ActiveXObject('WScript.Shell');c.Run('calc.exe');%3C/script%3E\r\n\r\nFor making of hidden attack the iframe can be used:\r\n\r\n<iframe src="http://site/?--%3E%3Cscript%3Ec=new%20ActiveXObject('WScript.Shell');c.Run('calc.exe');%3C/script%3E" height="0" width="0"></iframe>\r\n\r\nUnlike previous attack (which occurs only via IE), this cross-browser attack works in IE even without turned on option \u201cInitialize and script ActiveX control not marked as safe\u201d.\r\n\r\nVulnerable is version Opera 9.52 and previous versions (and potentially next versions). Code execution occurs in any version of Internet Explorer (IE6 and IE7).\r\n\r\nSimilar attack also can be made in browser Google Chrome - via Cross-Site Scripting vulnerability in Google Chrome (http://websecurity.com.ua/2505/). Only in Chrome it's needed to save web page not as Web Archive, but the same as in IE, save as Web Page, complete.\r\n\r\nBut only in old versions (Chrome <= 0.2.149.30), because in versions starting with Chrome 0.3.154.9 this XSS was fixed already. These XSS vulnerabilities in Opera and Chrome belong to Saved XSS type (http://websecurity.com.ua/2641/).\r\n\r\nBest wishes & regards,\r\nMustLive\r\nAdministrator of Websecurity web site\r\nhttp://websecurity.com.ua", "published": "2008-12-03T00:00:00", "modified": "2008-12-03T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20941", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:28", "edition": 1, "viewCount": 70, "enchantments": {"score": {"value": 2.1, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9387"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9387"]}]}, "exploitation": null, "vulnersScore": 2.1}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645630186, "score": 1659803227}, "_internal": {"score_hash": "8cf7a48724c6e3ed33d930979b9c0f60"}}