Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Trigerring Java code from a SVG image
From: Nicolas Grégoire <nicolas.gregoire () agarri fr>
Date: Wed, 16 May 2012 19:29:11 +0200


Uploading a SVG chameleon (SVG file triggering a XSLT
transformation) to a website allows to display nearly arbitrary
content if the file is called directly.

In order to demonstrate this point _and_ the weird Opera behavior, I put
online a SVG chameleon and a HTML file calling it via <img>:
http://www.agarri.fr/docs/svg2html.svg
http://www.agarri.fr/docs/svg2html.html

If the chameleon is called directly, Opera, Firefox and Webkit (IE
untested) execute the HTML Javascript code located in the output
document. Look at the DOM, there's no more reference to the source SVG
file anymore.

If the chameleon is called via <img>, only Opera renders the HTML output
(without executing the Javascript). I didn't test if the inter-documents
behavior is similar to the (i)frames one ... Screen-shot:
http://www.agarri.fr/docs/opera-chameleon.png

<shameless advertising>I'll demonstrate some additional XML/XSLT/SVG/...
tricks at Hack in the Box Amsterdam next week</shameless advertising>

Nicolas

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault