Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Trigerring Java code from a SVG image
From: Krzysztof Kotowicz <kkotowicz+fd () gmail com>
Date: Wed, 16 May 2012 15:16:52 +0200

Kind of. You can still do some stuff from <img> in Opera.
http://kotowicz.net/opera/

On Wed, May 16, 2012 at 12:25 PM, Dan Kaminsky <dan () doxpara com> wrote:
Anything from <img> in any browser?


On Wed, May 16, 2012 at 2:25 AM, Michele Orru <antisnatchor () gmail com>
wrote:

Mario Heiderich did a lot of research on that, he found so many bugs
that allowed
to embed Javascript in SVG images.

Nice stuff Nick btw,

Cheers
antisnatchor

On Wed, May 16, 2012 at 10:13 AM, Dan Kaminsky <dan () doxpara com> wrote:
Yeah, there's a bunch of wild stuff in SVG.  The browsers ignore most of
it,
AFAIK.  I think Firefox is the only browser to even consider
ForeignObjects
(which let you throw HTML back into SVG).

Probably the most interesting SVG thing is how they either do or don't
have
script access, depending on whether or not they're loaded as <img>'s.
 It
would be problematic indeed if <img src="foo.jpg"> could suddenly render
script!


On Tue, May 15, 2012 at 5:07 AM, Nicolas Grégoire
<nicolas.gregoire () agarri fr> wrote:

Hello,

SVG is a XML-based file format for static or animated images. Some SVG
specifications (like  SVG 1.1 and SVG Tiny 1.2) allow to trigger some
Java code when the SVG file is opened.

Given that I had to look at these features for a customer, I developed
some PoC codes which are now available online:
http://www.agarri.fr/docs/batik-evil.svg
http://www.agarri.fr/docs/batik-evil.jar

I published a more detailed article on my blog:
http://www.agarri.fr/blog/

Regards,
Nicolas Grégoire / @Agarri_FR

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



--
/antisnatchor



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]