Michael Daw's Hacks
DOM Race Conditions
It is interesting to note when playing with the onUnload event handler, that both Firefox and IE make requests and retrieve responses whilst the DOM is still set on the previous domain.
This got me toying with the idea of a timing attack to bypass the same-origin policy. The basic idea behind this attack is utilising [...]
Wordpress template.php Exploit
Update: 16/01 see http://michaeldaw.org/projects/wpsec/
Its been a few days since the release of:
http://michaeldaw.org/md-hacks/wordpress-persistent-xss/.
Other references:
http://www.securityfocus.com/bid/21782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6808
Time to release a proof of concept exploit for this. I am sure the crackers will already be exploiting this in the wild.
If you remember from my original advisory, our attack was limited due to our attack being passed through PHP’s basename function. [...]
WordPress Persistent XSS
Vulnerability Title: WordPress Persistent XSS
Author: David Kierznowski
Homepage: http://michaeldaw.org
Software Vendor: WordPress Persistent XSS
Versions affected: Confirmed in v2.0.5 (latest)
WordPress is a popular open source blogging software.
A persistent XSS vulnerability has been found in WordPress (to be honest I have found a few problems and hope to publish these soon). This issue affects the latest version v2.0.5.
Discussion:
When editing [...]
Hacking HomePlug Networks
I don’t know whether HomePlug networks are growing in use or not, but the following statements caught my attention:
“Officials at Intellon, the chip maker that developed the HomePlug spec, say that hacking into a HomePlug network would require cracking the government’s DES encryption standard.” – link
My favourite:
“HomePlug specification products also protect data by utilizing powerful [...]
CSRF with MS Word
Update: 15/12:
CSRF in MS Word part II
Update 28/11:
It is interesting to note that MS Word 2003 will actually warn the user. Obviously, someone at Microsoft saw the potential for badness here. Good stuff.
Microsoft Word has been plagued with vulnerabilities in the past. Therefore, mail servers often restrict email with the .doc extension. However, with applications [...]
