Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19868
HistoryMay 20, 2008 - 12:00 a.m.

Microsoft word javascript execution

2008-05-2000:00:00
vulners.com
22
JSON

Products affected: Microsoft word 2003/2007
OS Tested : Windows Xp all patch

The vulnerability is that you can run javascript in an arbitrary manner without permission of the
user. While it is limited what you can get to run, this may help attackers using methods that
distort the environment javascript to tempt execute a malicious file. It also could run a page
without the permission of the user to include any vulnerability or a script malignant in the user's
browser.

To make the proof of concept follow the following steps

1-Make a html file and paste xss code
2-Open the html file with the word and save as β€œdocument xml”
3-Rename .xml to .doc
4-Open .doc file

XSS

<html>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url
value=javascript:alert('Prueba')></OBJECT>

It is important to include the tag <html> because it makes it to interpret the code followed.

One curiosity is that using this method and inserting a malformed object causing a denial of
service.Significantly, the file must be saved with an RTF not with the DOC.

Crash

<html>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389> </OBJECT>

I leave some proof of concept that simply open a alert and another that leads to denial of services.

XSS
http://es.geocities.com/jplopezy/xss.doc

CRASH

http://es.geocities.com/jplopezy/crash.rtf

Juan Pablo Lopez Yacubian

JSON