Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Trigerring Java code from a SVG image
From: Nicolas Grégoire <nicolas.gregoire () agarri fr>
Date: Wed, 16 May 2012 19:29:11 +0200

Uploading a SVG chameleon (SVG file triggering a XSLT
transformation) to a website allows to display nearly arbitrary
content if the file is called directly.

In order to demonstrate this point _and_ the weird Opera behavior, I put
online a SVG chameleon and a HTML file calling it via <img>:

If the chameleon is called directly, Opera, Firefox and Webkit (IE
untested) execute the HTML Javascript code located in the output
document. Look at the DOM, there's no more reference to the source SVG
file anymore.

If the chameleon is called via <img>, only Opera renders the HTML output
(without executing the Javascript). I didn't test if the inter-documents
behavior is similar to the (i)frames one ... Screen-shot:

<shameless advertising>I'll demonstrate some additional XML/XSLT/SVG/...
tricks at Hack in the Box Amsterdam next week</shameless advertising>


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]