Vulnerability Note VU#305208

Caucho Resin vulnerable to XSS via "file" parameter to "viewfile"

The "viewfile" command provided by Caucho Resin contains a cross-site scripting (XSS) vulnerability in the "file" parameter.

Caucho Resin is a Java-based application server. The "viewfile" command that is provided with the Resin documentation is vulnerable to XSS via the "file" parameter.

A remote, unauthenticated attacker may be able to execute arbitrary script within the context of the Resin web pages.

Apply an update

This issue is resolved in Resin 3.0.25 and 3.1.4. Note that the vendor does not recommend including the Resin documentation on production web servers, which would prevent the vulnerable command from being exposed.

http://www.caucho.com/

http://www.caucho.com/resin/changes/changes-31.xtp#3.1.4%20-%20Dec%205,%202007

Credit

Thanks to Tomasz Kuczynski for reporting this vulnerability.

This document was written by Will Dormann.

Vulnerability Note VU#705529

Apple Safari WebKit fails to properly handle a crafted URL

A vulnerability in the way Apple Mac OS X handles specially crafted URLs may allow an attacker to execute script in the context of another site..

According to Apple Safari 3.1.1:

An issue exists in WebKit's handling of URLs containing a colon character in the host name. Opening a maliciously crafted URL may lead to a cross-site scripting attack. This update addresses the issue through improved handling of URLs.

This vulnerability may allow an attacker to execute script in the context of another site.

Apply Apple Updates

Apple has released an update to address this vulnerability. Refer to Apple Safari 3.1.1.

http://support.apple.com/kb/HT1467

Credit

This issue is adressed in Apple Safari 3.1.1. Apple credits Robert Swiecki of the Google Security Team, and David Bloom for reporting this issue.

This document was written by Chris Taschner.

Vulnerability Note VU#466521

Mozilla JavaScript privilege escalation

Mozilla products contain multiple vulnerabilities that may allow a remote, unauthenticated attacker to execute arbitrary code.

Mozilla Firefox, Thunderbird, and SeaMonkey do not properly handle JavaScript, which may allow privilege escalation and execution of arbitrary code on an affected system.

Successful exploitation of this vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Apply an update

Mozilla Foundation has issued new versions of the affected products which address these vulnerabilities. Please see MFSA 2008-14 for more details.

Workaround

Disabling JavaScript is an effective workaround for these vulnerabilities. It is strongly recommended that you disable JavaScript until a version containing patches for these vulnerabilities can be installed.

http://www.mozilla.org/security/announce/2008/mfsa2008-14.html

Credit

This document was written by Joseph Pruszynski.

Vulnerability Note VU#766019

Apple Safari vulnerable to xss via the processing of JavaScript URLs

A vulnerability in the way Apple Safari handles JavaScript URLs may allow execution of JavaScript in the context of another site.

Apple Safari contains a vulnerability that may cause a cross-site script injection when processing JavaScript URLs. According to Apple Security Advisory APPLE-SA-2008-03-18:

A cross-site scripting issue exists in the processing of javascript: URLs. Enticing a user to visit a maliciously crafted web page could allow the execution of JavaScript in the context of another site. This update addresses the issue by performing additional validation of javascript: URLs.

This vulnerability may allow an attacker to execute JavaScript in the context of another site.

Apply an update

This issue is addressed in Apple Safari 3.1.

http://docs.info.apple.com/article.html?artnum=307563

Credit

This vulnerability was reported in Apple Security Advisory APPLE-SA-2008-03-18. Apple credits Robert Swiecki of Google Information Security Team for reporting this issue.

This document was written by Chris Taschner.

Vulnerability Note VU#794236

SkypeFind fails to properly sanitize user-supplied input

The Skype client does not properly filter user-supplied input that was received from the SkypeFind service. This vulnerability may allow an attacker to execute arbitrary code.

Skype is a peer-to-peer application that provides Voice over IP (VoIP) and Instant Messaging services. The Skype client is available for the Microsoft Windows, Apple OS X and Linux operating systems. SkypeFind allows users to review businesses. These reviews are viewable by others.

Skype does not properly filter input that was supplied to the SkypeFind full name field. An attacker may be able to exploit this vulnerability by injecting script into the full name field. When a user viewed the specially crafted SkypeFind profile, the script would be run in the Internet Explorer Local Machine Zone.

II. Impact

As explained in VU#248184, since the user-supplied script runs in the Local Machine Zone a remote unauthenticated attacker may be able to execute arbitrary code.

Skype has addressed this issue by filtering input supplied to the SkypeFind service.

Restrict access to the Skype URI



Blocking the skype: URI handler by using proxy servers or application firewalls may prevent some remote vulnerabilities in Skype from being exploited without user interaction.

Systems Affected

http://aviv.raffon.net/2008/01/31/AttackersCanSkypeFindYou.aspx

http://msdn2.microsoft.com/en-us/library/ms537183.aspx#local

http://www.skype.com/help/guides/skypefind.html

http://www.kb.cert.org/vuls/id/248184

Credit

This vulnerability was made public by Aviv Raff.

This document was written by Ryan Giobbi.