logo Home

Untitled Document

Home > Archives Advisories > Articles


Untitled Document

Untitled Document

XSS Flaw in Tryit Editor
Date: 2003-04-19

Author : Hotmail <se_cur_ity@hotmail.com>

"0day - yourway"

04/17/2003
Morning Wood Inc.
se_cur_ity@hotmail.com
http://take.candyfrom.us
http://exploit.wox.org

SECURITY VUNERABILITY ANOUNCEMENT - SECURITY VUNERABILITY ANOUNCEMENT

HTML Version is here http://exploit.wox.org/thecore/tryit13flaw.html

Vendor:
UNKNOWN ??? W3Schools.com ???

Package:
Try It 1.3 ( im sure other versions are flawed as well )

Description:
Try It 1.3 is an online HTML/PHP/XML Editor and script testing tool.


First... The info:

reference: http://www.w3schools.com/html/tryit.asp?filename=tryhtml_iframe

Rather funny.. I dont realy know that much about web-scripting etc,


The Bad:

I was looking for refrences to HTML and wound up at http://w3schools.com
and their neat online html tool
"Try It 1.3". Upon browsing to the iframe section I noticed a funny thing...
Displayed to the right was
the renderd version of the raw html on the left.. an iframe example, the
iframe is pointed to "default.asp",
which is obviously running under the context of the webserver as there is no
preceding . or /
I tried (1st time by the way) to replace default.asp with a guessed
filename "test.asp". BINGO
a perfect iframe of a color test strip.


Now the really, really, bad:

Try It 1.3 at http://4arrow.com/test/t/editor.php - This site was simply
"Googled" via "Tryit Editor v1.3"
Apears to use a cookie to recall your last input.. anyway
I played with this not really trying anything, as it to exhibited the same
flaw.

But..

Note the Section that says..

Filename: (new name = new file)

as well as the "Delete" checkbox

Sure enough it let me create a file and load it. My 9yo son was in the
room as I was
showing him this "new" cool WISYWIG editor and we made a "christian.htm"
file and that was
cool for him to play with, eventualy we closed the page and ate dinner.
Later I returned to the site to examine some examples and I was shocked to
see "christian.htm" in the load box.
Yes folks it saves, and saves sweetly it does as evidenced by... get ready..
this directory...
http://4arrow.com/test/t/
then...
http://4arrow.com/test/t/data/tpl/
and obviously..
http://4arrow.com/test/t/data/tpl/christian.htm christian.htm ( our "new"
file )

OOPS ( not good )


Now... as a test on known? exploit code,
I tested this:

http://4arrow.com/test/t/data/tpl/hmm.htm
containing...

<object id="test"
data="#"
width="100%" height="100%"
type="text/x-scriptlet"
VIEWASTEXT></object>

and was just flabergasted...


note: the vendor has not been notified as of this date nor can I determine
the exact originating author.



 

arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy