###
GreenBrowser About: dialog XSS and stored XSS
Vendor URL:http://www.morequick.com/
advisore:http://lostmon.blogspot.com/2012/03/greenbrowser-about-dialog-xss-and.html
Vendor notify:NO exploit available:yes
###
GreenBrowser is your best choice of flexible and powerful green web
browser. GreenBrowser is free to download and use.
GreenBrowser contains a two flaws that allows a remote cross site
scripting (XSS) attack. This flaw exists because the application does
not validate the about: Uri dialog and last visited pages. This may
allow a user to create a specially crafted URL that would execute
arbitrary script code in a user's browser within the trust
relationship between their browser and the server.
Also the browser save the last URL visited and then, if a user create
a crafted link and clin in, it is a stored XSS because when open the
browser by default it open http://www.5igb.com/StartEn.htm and it have
the last visited URL... The xss is executed in this URL :) page and
browser not validate LastVisitWriteEn() before render to the user.
You can see this function here => http://www.5igb.com/function.js
#################
Proof of Concept
#################
create a html doc and write this code, click in the link and it
execute the xss close the browser and open it again, in last visit
pages we have the url of PoC and it executes the stored XSS
<html><body>
<a href='about:"><script>alert(1)</script>'>GreenBrowser about: handler XSS</a>
</body></html>
################
Versions afected
################
6.1.0117 (2012-01-17 10:22:02)
6.1.0216 (2012-02-16 21:37:10)
##################
Solution
###################
No solution was available at this time !!!
################ nd ####################
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....