Threaded Mode | Linear Mode

***Kye-U*** · Nov. 24, 2004, 03:40 AM

Version 4.26 is Released!

Last Updated: November 23rd, 2004 - 10:40 PM EST

What's New?

Quote:[-Version 4.26-]
-Added (IE: IFRAME Buffer Overflow Exploit [Kye-U])
http://secunia.com/advisories/12959/

-Modified (Remove Tiny Object/IFrame/Applet Tags [Kye-U])
--Fixed False Positives

http://prxbx.com/forums/index.ph...topic=131&st=0#

Download here!

nolan_vode · Nov. 24, 2004, 08:33 AM

I'm getting a lot of alerts by "Mozilla: XUL Remover [Kye-U]" from various Mozilla web site pages and related sites

Is that typical?

thx

~Nolan Smile!

***Kye-U*** · Nov. 24, 2004, 09:02 PM

Hmm, well the filter is designed to remove anything with "*.xul"

If you surf a site a lot, like MozillaZine, enter this before the "($TYPE(htm)|$TYPE(js))" in the URL Match:

(^*mozillazine.org/)

So it looks like:

(^*mozillazine.org/)($TYPE(htm)|$TYPE(js))

Or you can disable the filter Smile!

I'd expect it to match a lot, and this "general" matching expression is required because ".XUL" can be placed anywhere to spoof a browser.

POC: http://www.nd.edu/~jsmith30/xul/test/spoof.html

nolan_vode · Nov. 25, 2004, 03:24 AM

Quote:If you surf a site a lot, like MozillaZine, enter this before the "($TYPE(htm)|$TYPE(js))" in the URL Match:

Will do. Thanks

~Nolan Big Teeth

nolan_vode · Nov. 25, 2004, 03:25 AM

Quote:If you surf a site a lot, like MozillaZine, enter this before the "($TYPE(htm)|$TYPE(js))" in the URL Match:

Will do. Thanks

~Nolan Big Teeth

Siamesecat · Nov. 25, 2004, 08:06 AM

Quote: I'm getting a lot of alerts by "Mozilla: XUL Remover [Kye-U]" from various Mozilla web site pages and related sites

You could rewrite the replacement to remove the alert and just print a warning on the page. I did that with the Invalid Tag Size filter like this:

Code:

Replace = "Fixed Invalid Tag Size(s)"

***Kye-U*** · Dec. 25, 2004, 03:56 AM

Version 4.27 is Released!

Last Updated: December 23rd, 2004 - 5:20 PM EST

What's New?

Quote:[-Version 4.27-]
-Added (IE: DHTML Edit Control Class ID [Kye-U])
http://securityfocus.com/bid/11950/info/

-Added (Mozilla: "About" Crash [Kye-U])
http://maas-online.nl/security/advisory-...-crash.txt

http://prxbx.com/forums/index.ph...topic=131&st=0#

Download here!

Ralph · Dec. 25, 2004, 04:16 PM

Hi Kye . I've imported your filters into Sidke's 12/15/04 config and everything seems to be working fine . However , I get these notices with a notify beep whenever I browse certain sites with these exploits . Can't you fix the filters so that they can do their thing in silence without having to push the freakin button Smile!

.

Siamesecat · Dec. 26, 2004, 07:37 PM

Ralph,

Quote:Can't you fix the filters so that they can do their thing in silence without having to push the freakin button

All you have to do is remove the $ALERT and the parentheses after it and leave the message. That message will then be printed on the web page.

***Kye-U*** · Dec. 26, 2004, 07:43 PM

Ralph Wrote:Hi Kye . I've imported your filters into Sidke's 12/15/04 config and everything seems to be working fine . However , I get these notices with a notify beep whenever I browse certain sites with these exploits . Can't you fix the filters so that they can do their thing in silence without having to push the freakin button .

Here you go, I just used UltraEdit to delete all $ALERT() text.

Cheers

BTW, this won't let you know if any filters have taken action on the page [unsure]

Ralph · Dec. 26, 2004, 10:57 PM

Thank you both . I like the option without the alerts better . Now all I need to do is find some colors I like for Sidke's new config . Siameasecat , your good with colors ; any recommendations ? I used the black satin textures previously but I would like something different . Sidke's new config is so great I feel it needs special colors !

Siamesecat · Dec. 27, 2004, 05:25 AM

Ralph,

Quote:colors ; any recommendations ?

I like the dark wood and burly wood textures. I used them in an alternate set of filters.

no13 · Dec. 27, 2004, 05:29 AM

And I want the beep, but FF plugin is missing... any download link for "WAV PLUGIN" ?

Siamesecat · Dec. 27, 2004, 06:32 PM

Kye-U,

I have a suggested correction for the "Mozilla: "About" Crash [Kye-U]" filter in security pack v. 4.27.

Code:

Name = "Mozilla: Print Iframe Crash [Kye-U]"

Active = TRUE

URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))"

Limit = 100

Match = "(\s|)src=$AV(about:*)"

      "|(window.\w.\w.|)print(\(*\)|;|)"

       "$SET(\9=A Gecko-based browser can crash when trying to print an Iframe.

       ""

       "Version(s) Vulnerable: Gecko-based Browsers"

       "http://maas-online.nl/security/advisory-mozilla-crash.txt)"

Replace = "$ALERT(Mozilla: Print Iframe Crash detected on: n\n\u)"

It is not really the "about: *" that is the problem. It is the attempt to print an iframe. I think that this match correction would work better as well.

***Kye-U*** · Jan. 25, 2005, 04:40 AM

Version 4.28 is Released!

Last Updated: January 24th, 2005 - 11:32 PM EST

What's New?

Quote:[-Version 4.28-]
-Added (IE: Embedded Body IFRAME Exploit [Kye-U])
http://securityfocus.com/bid/12264/info/

-Modified (IE: IFRAME Buffer Overflow Exploit [Kye-U])
--Fixed False Positives

-Modified (Mozilla: "About" Crash [Kye-U])
--Renamed to (Mozilla: 'Print IFRAME' Crash [Kye-U])
--Changed match on advice

http://prxbx.com/forums/index.ph...topic=131&st=0#

Download here!