|
|
|
|
| |
Scalable Vector Graphics (SVG) is a relatively new XML-based language for creating and controlling vector graphics. The language was standardized and endorsed by the WWW Consortium (W3C).
Several SVG parsers and renderers have been released as browser plugins, but the most popular of them all is Adobe SVG Viewer (ASV). According to Adobe: "Adobe SVG Viewer 3.0 is available in 15 languages and many millions of viewers have already been distributed worldwide".
A vulnerability in Adobe's SVG allows remote attackers to read locally stored files and files that are stored in other web sites. |
| |
Credit:
The original advisory can be downloaded from: http://security.greymagic.com/adv/gm003-mc/.
The information has been provided by GreyMagic Software.
|
| |
Vulnerable systems:
* Adobe SVG Viewer (ASV) 3.0 and prior
* Adobe SVG Viewer 3 Build 76
Adobe SVG Viewer exposes several non-standard extensions. Among them are the "postURL" and "getURL" methods. These methods are meant to make asynchronous HTTP requests to a server and return the results to the SVG document via a callback function that is supplied as an argument.
Both "postURL" and "getURL" attempt to prevent requests to local files and URLs on different domains for obvious security reasons.
However, GreyMagic discovered that when a valid URL is supplied to these methods, and then redirects to a local or remote file, the content of that file is returned, allowing an attacker to read any file on the user's computer and remote sites. Notice that in this case cookies are sent to remote sites, making the privacy breach quite severe.
A significant mitigating factor in IE6 SP1 is its prevention of navigation to local content from the Internet Zone. This means that users of IE6 SP1 (in the Internet Zone ONLY) are safe from having their local files read by this vulnerability. However, they are not safe from remote URL reading. All other versions of IE are vulnerable to both local and remote file reading.
Exploit:
The following code attempts to read a local or remote file, "rd.asp" redirects to the desired unauthorized location.
getURL(
"rd.asp",
function (oResponse) {
parent.alert(oResponse.content);
}
);
Demonstration:
A demonstration is available at: http://security.greymagic.com/adv/gm003-mc/.
Solution:
GreyMagic brought this issue to Adobe on 09-Sep-2003. They have devised a patched version (ASV 3.01) and made it available on the official ASV download site.
|
|
|
|
|
|
|
|
|
|
