| XSS Flaw in Tryit Editor
Author : Hotmail <firstname.lastname@example.org>
"0day - yourway"
Morning Wood Inc.
SECURITY VUNERABILITY ANOUNCEMENT - SECURITY VUNERABILITY ANOUNCEMENT
HTML Version is here http://exploit.wox.org/thecore/tryit13flaw.html
UNKNOWN ??? W3Schools.com ???
Try It 1.3 ( im sure other versions are flawed as well )
Try It 1.3 is an online HTML/PHP/XML Editor and script testing tool.
First... The info:
Rather funny.. I dont realy know that much about web-scripting etc,
I was looking for refrences to HTML and wound up at http://w3schools.com
and their neat online html tool
"Try It 1.3". Upon browsing to the iframe section I noticed
a funny thing...
Displayed to the right was
the renderd version of the raw html on the left.. an iframe example, the
iframe is pointed to "default.asp",
which is obviously running under the context of the webserver as there
preceding . or /
I tried (1st time by the way) to replace default.asp with a guessed
filename "test.asp". BINGO
a perfect iframe of a color test strip.
Now the really, really, bad:
Try It 1.3 at http://4arrow.com/test/t/editor.php - This site was simply
"Googled" via "Tryit Editor v1.3"
Apears to use a cookie to recall your last input.. anyway
I played with this not really trying anything, as it to exhibited the
Note the Section that says..
Filename: (new name = new file)
as well as the "Delete" checkbox
Sure enough it let me create a file and load it. My 9yo son was in the
room as I was
showing him this "new" cool WISYWIG editor and we made a "christian.htm"
file and that was
cool for him to play with, eventualy we closed the page and ate dinner.
Later I returned to the site to examine some examples and I was shocked
see "christian.htm" in the load box.
Yes folks it saves, and saves sweetly it does as evidenced by... get ready..
http://4arrow.com/test/t/data/tpl/christian.htm christian.htm ( our "new"
OOPS ( not good )
Now... as a test on known? exploit code,
I tested this:
and was just flabergasted...
note: the vendor has not been notified as of this date nor can I determine
the exact originating author.