Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Trigerring Java code from a SVG image
From: Dan Kaminsky <dan () doxpara com>
Date: Wed, 16 May 2012 02:13:13 -0700

Yeah, there's a bunch of wild stuff in SVG.  The browsers ignore most of
it, AFAIK.  I think Firefox is the only browser to even consider
ForeignObjects (which let you throw HTML back into SVG).

Probably the most interesting SVG thing is how they either do or don't have
script access, depending on whether or not they're loaded as <img>'s.  It
would be problematic indeed if <img src="foo.jpg"> could suddenly render
script!


On Tue, May 15, 2012 at 5:07 AM, Nicolas Grégoire <
nicolas.gregoire () agarri fr> wrote:

Hello,

SVG is a XML-based file format for static or animated images. Some SVG
specifications (like  SVG 1.1 and SVG Tiny 1.2) allow to trigger some
Java code when the SVG file is opened.

Given that I had to look at these features for a customer, I developed
some PoC codes which are now available online:
http://www.agarri.fr/docs/batik-evil.svg
http://www.agarri.fr/docs/batik-evil.jar

I published a more detailed article on my blog:
http://www.agarri.fr/blog/

Regards,
Nicolas Grégoire / @Agarri_FR

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]