June 17, 2021

Cross Site Scripting vulnerability found in IE 11

hacked-by-deusen-1080x700(LiveHacking.Com) – A new Cross Site Scripting (XSS) vulnerability has been found in IE 11. According to an email sent by David Leo, a researcher with information security company Deusen, to the Full Disclosure mailing list, the vulnerability can allow an attacker to steal anything from a third party domain, and likewise inject anything into a third party domain.

Deusen has also posted a proof of concept which injects the words “Hacked by Deusen” into a third party website, in this case dailymail.co.uk. The disclosure is for Internet Explorer 11 on Windows 7, however I have tried it on Windows 8.1 and the vulnerability is present.

The way the PoC works is once the web page has been opened you need to click on a dialog box to proceed. Then a second window opens showing the dailymail.co.uk website, after a few seconds the contents of dailymail.co.uk are replaced with the hacked message. In a real world scenario the injected code would do something more malicious.

Since IE still shows that the domain is dailymail.co.uk users can be easily tricked into giving up usernames and passwords, or other private information. Imagine if the attacker used paypal.com rather than dailymail.co.uk.

However, phishing isn’t the only worry. The vulnerability also means attackers can access existing authentication cookies. This means that an attacker can masquerade as an already authorized user.

According to Joey Fowler, a Senior Security Engineer at Tumblr, the vulnerability allows hackers to bypass standard HTTP-to-HTTPS restrictions. “It looks like, through this method, all viable XSS tactics are open!” he wrote.

Joey also asked if Microsoft had been informed. David Leo confirmed that Microsoft was notified on Oct 13, 2014. In a statement to iTnews, Microsoft said that there were no known cases of this vulnerability being exploited in the wild. Microsoft is working on a fix.

Microsoft fixes Windows Live identity theft flaw

(LiveHacking.Com) – Microsoft has fixed a recently discovered a vulnerability in Microsoft’s Windows Live service that allowed an attacker to steal victims’ online identities.  Abdeljalil S’hit and Yasser Aboukir reported the flaw to Microsoft after they discovered that by using Cross-Site Scripting (XSS) they could execute a malicious script. To exploit the vulnerability the attacker needed to create and error on the Windows Live login page which (due to the XSS problem) would then execute the malicious script.

As a result of the flaw an attacker could impersonate a Windows Live user by gaining full control of the victim’s cookies. Combined with social engineering, this technique could be used to steal a victim’s Windows Live identity. The researchers were asked by the Microsoft Security Research Center to not disclose the flaw while it looked into a fix. The pair duly kept quiet and Microsoft did come up with a fix, but it took three months!

We have created a code change to address the issue and are now testing the changes,” a Microsoft spokesperson told the duo according to ZDNet. “Because changes to the site may affect a large number of users the testing requirements prior to production release are lengthy. Based on the testing schedule and barring any significant regressions the team expects to release an update into production in early May.

Abdeljalil S’hit and Yasser Aboukir are to be applauded for the way they disclosed the issue, but questions remain over Microsoft’s delay in addressing the problem. To Microsoft’s credit they did however  feature the pair on its list of June 2012 Security Researchers for their proper disclosure.


New Version of Opera Released to Fix Cross-site Scripting Vulnerability

(LiveHacking.Com) – Opera 11.61 has been released and it is recommended that all users upgrade to the latest version to benefit from the security and stablilty changes. With regards to security, Opera 11.61 fixes two security issues:

  • An issue where manipulation of framed content can allow cross-site scripting.
  • An issue where script events could be used to reveal the presence of local files.

The cross site script issue is the worse of the two and has been given a “High” vulnerability rating. According to the advisory “pages from unrelated sites should not be able to interact with the contents of each other – known as the same-origin policy. Certain manipulations of framed content, made before loading a target site in a frame, can cause Opera not to correctly apply this restriction. This allows malicious sites to perform cross-site scripting attacks against arbitrary target sites, executing scripts in the context of that target site.”

The other issue, which has a “Low” rating, fixes an issue where remote web pages could detect what types of files a user has on their local machine. The advisory reports that “certain types of HTML elements may behave differently when they attempt to reference local files that exist. The attempt to load the local file will be blocked, but different JavaScript events may fire, allowing the presence of the local file to be detected. The contents of the local file will not be exposed, and the attacker will need to be able to guess the path to the local file in order to check for its existence.”

Other non-security related changes include an update to the default Speed Dials as well as fixes for the built-in email client along with stability (crashing) fixes. More details about the update can be found in the WindowsMac and UNIX change logs. Opera 11.61 is available to download now.

WordPress 3.3 Patched to Fix Cross-Site Scripting Vulnerability

(LiveHacking.Com) – WordPress 3.3.1 has been released to fix a Cross-Site Scripting (XSS) vulnerability discovered by  security researchers, Aditya Modha & Samir Shah. As well as fixing the XSS problem, 3.3.1 fixes 15 issues with WordPress 3.3. Once the vulnerability was made public other researchers tried to test the vulnerability but without success. It transpires that if WordPress is installed using an IP address the vulnerability is exploitable. If however, like many people, WordPress is installed via a domain name, the site isn’t vulnerable. This is because of some logic with the WordPress codebase which treats urls differently depending on whether WP_SITEURL is set or unset.

The WordPress team mentioned thanks to Joshua H., Hoang T., Stefan Zimmerman, Chris K. and the Go Daddy security team for responsibly disclosing the bug to the WordPress security team.

WordPress 3.3.1 can be downloaded from here or use Dashboard → Updates in your site admin.

Ruby on Rails Updated to Fix XSS Vulnerability

(LiveHacking.Com) – The open source open source web framework Ruby on Rails has been updated to fix a cross site scripting vulnerability in the translate helper method.

The vulnerability, which could allow an attacker to insert arbitrary code into a page, affects versions 3.0.0 and later as well as version 2.3.X in combination with the rails_xss plugin. It has been fixed in version 3.0.11 and version 3.1.2.

The bug in the translate helper method meant that when using interpolation in combination with HTML-safe translations, the interpolated input would not get HTML escaped

The releases notes gives the following example:

translate('foo_html', :something => '<script>') # => "...<script>..."


translate('foo_html', :something => '<script>') # => "...&lt;script&gt;..."

Shortly after the release of 3.1.2, the Ruby on Rails team released 3.1.3 to fix a number of regressions that found their way into 3.1.2, including a fix to the translate helper with a html translation which uses the :count option for pluralization.

Has Skype for iOS Vulnerability Been Fixed?

(LiveHacking.Com) – A new version of Skype (3.5.84) for the iPhone and iPad appeared in the App Store yesterday with lots of new features like Bluetooth support and image stabilization. But the “What’s New” section also mentions “Bugfix for security vulnerability.” Currently Skype are keeping quiet about exactly which “security vulnerability” has been fixed, however it is most likely to be the Cross-Site Scripting vulnerability found in the “Chat Message” window which could allow an attacker to download a copy of the phone’s address book.

The vulnerability, which was found last week, can be exploited by simply sending a specially crafted chat message to a Skype user. Skype uses a locally stored HTML file to display chat messages from other users, however it doesn’t properly encode the incoming users “Full Name”. The result is that an attacker can create some  malicious JavaScript code that runs when the victim views the message.

Skype has a published a blog post about the new iOS version where it explains the new anti-shake feature and the support for Bluetooth, however it mentions nothing about the security fix.

It is recommended that every iPhone/iPad Skype user updates to this new version but it is also worth noting that there have been reports of problems with the new version including 1) Skype Credit not showing 2) Contacts slow to sync 3) Account settings (e.g. photo, name, profile) not appearing.

To remedy these, Skype suggest deleting your Skype app and starting a new installation from scratch. To delete the app, press and hold the app icon on your iPhone, and click the ‘X’. To re-install, return to the AppStore, and install.

Skype for iOS Vulnerability Allows Attacker to Steal Address Book Just By Sending a Chat Message

(LiveHacking.Com) – A Cross-Site Scripting vulnerability has been found in the “Chat Message” window of Skype for iOS. The vulnerability can be exploited by simply sending a specially crafted chat message to a Skype user. Skype uses a locally stored HTML file to display chat messages from other users, however it doesn’t properly encode the incoming users “Full Name”. The result is that an attacker can create some  malicious JavaScript code that runs when the victim views the message.

Because of the way Skype uses the built-in webkit browser any Javascript run via the Chat Message exploit can access the local user file system. Access to files on iOS devices is restricted by the underlying operating system but every iOS application has access to the users AddressBook. This has allowed Phil Purviance to create a proof of concept injection and attack that downloads an user’s address book to a remote server just by sending a Skype Chat Message.

Phil told Skype about the almost a month ago and was told that an update would be released early this month.

Skype says it is aware of the security issue, and had issued the following statement:

“We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.”

Phil also created a video showing the exploit in action:

phpMyAdmin 3.4.4 and Fix XSS Vulnerability

(LiveHacking.Com) – Norman Hippert from The-Wildcat.de has discovered a vulnerability in phpMyAdmin, the open source database administration tool. As a result the phpMyAdmin developers have announced the release of versions 3.4.4 and These new versions close the hole, discovered by Norman, in the Tracking feature that can lead to multiple cross-site scripting (XSS) vulnerabilities.

The vulnerability exists due to improper sanitisation when input is passed to the table, column and index names. Although, to exploit this vulnerability an attacker must be logged into phpMyAdmin, the development team “consider this vulnerability to be serious.”

phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Further information about the updates can be found in the 3.4.4 and release announcements and in the project’s security advisories.

WordPress 3.1.1 Released – Includes Security Patches

The WordPress project has released WordPress 3.1.1, the open source blogging system. Version 3.1.1. is a maintenance and security update. The release announcement says that the update fixes almost thirty issues in 3.1, including:

  • Performance improvements
  • Fixes for IIS6 support
  • Fixes for taxonomy and PATHINFO (/index.php/) permalinks
  • Fixes for various query and taxonomy edge cases that caused some plugin compatibility issues

With regards to security, V3.1.1 addresses three security issues:

  • Better Cross-site request forgery (CSRF – pronounced sea-surf) prevention in the media uploader
  • Workaround a PHP crash in certain environments when handling esoteric links in comments
  • Fix for a cross-site scripting (XSS) issue

The WordPress team suggest you update to 3.1.1 promptly. You can download 3.1.1 or update automatically from the Dashboard → Updates menu in your site’s admin area.

YGN Ethical Hacker Group Claims McAfee Web Site Has Cross-Site Scripting Vulnerabilities

The YGN Ethical Hacker Group (YEHG), a small group of ethical hackers from Myanmar, has posted details of cross-site scripting (XSS) vulnerabilities it has found on McAfee.com. As a group of ethical hackers they first informed McAfee of these problems nearly six weeks ago on February 10th 2011. However, since McAfee had not fully resolved the issues, they felt compelled to expose the problems to the public on the full disclosure mailing list.

These revelations are quite embarrassing to Intel, who paid $7.7 billion for the company in August 2010, as McAfee offers a service called McAfee Secure which certifies that sites are free from just these kinds of vulnerabilities.

YEHG has found three types of problem on the McAfee web site.

  1. XSS vulnerabilities. Cross site scripting can allow attackers to inject client-side script into web pages viewed by other users.
  2. Internal hostname disclosure.
  3. Source code disclosure.

Since the revelation, it seems that McAfee has started to remedy the problems as all the source code disclosure URLs given by YEHG have been fixed.