Hello Full-Disclosure! I want to warn you about Cross-Site Scripting vulnerability in Ad Muncher. In May I already wrote about universal XSS in Ad Muncher (http://websecurity.com.ua/4202/), which allowed to conduct XSS attacks on any sites in any browsers. Which existed in versions before Ad Muncher 4.71. I didn't post about it to the list, because of my conversation with Vladimir Dubrovin aka 3APA3A, who told me that it was not interesting for him in particular (because it was already fixed hole). This vulnerability allows to bypass protection filters of the program and renew universal XSS in Ad Muncher. Details of previous universal XSS vulnerability in Ad Muncher (about all nuances of its work), which is similar to new one (both of them can be used for reflected XSS and Saved XSS attacks), was described in above-mentioned post and in short was described (on English) in article Local XSS (http://websecurity.com.ua/4219/). ------------------------- Affected products: ------------------------- Vulnerable are Ad Muncher 4.81 and previous versions. ---------- Details: ---------- XSS (WASC-08): By default in Ad Muncher 4.71 and next versions the showing of current URL in body of current page (in helper script) is turned off and at that previous hole is fixed. But by using other attack vectors it's still possible to conduct XSS attack when ShowURLInHelper option is turned on. It's universal XSS. Reflected XSS and Saved XSS attacks are possible with using of this vulnerability. The attack is possible in the next cases (in any browsers): 1. At pages with UTF-7. http://site/utf-7.html?--+AD4-+ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4- At request to the page the code will execute automatically. The attack can be conducted at any sites which have UTF-7 pages, or allow to upload web pages to them (and in such way it's possible to set UTF-7 codepage). 2. At pages with any codepage except UTF-7. http://site/utf-8.html?--+AD4-+ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4- At visiting of the page it's needed to force victim to change codepage to UTF-7 and the code will execute automatically. This attack is similar to strictly social XSS in Mozilla and Firefox, which I wrote about in my posts Cross-Site Scripting in Mozilla and Firefox (http://websecurity.com.ua/1413/) and Cross-Site Scripting with UTF-7 in Mozilla and Firefox (http://websecurity.com.ua/3062/). It's possible in browsers Mozilla 1.7.x and previous versions, Firefox 1, Firefox 2 and Firefox 3.0 and Firefox 3.0.1 (and other browsers, which allow to set UTF-7 codepage). ------------ Timeline: ------------ 2010.05.25 - announced at my site. 2010.05.25 - informed developers. 2010.11.10 - Ad Muncher 4.9 was released, in which this hole was fixed. 2010.12.28 - disclosed at my site. I mentioned about this vulnerability at my site (http://websecurity.com.ua/4231/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/