Vendor Site: Avant browser (www.avantbrowser.com)
Date: December, 5 2012 – CVE (TBA)
Researcher: Roberto Suggi Liverani - @malerisch
PDF version: Avant_multiple_vulnerabilities_advisory.pdf
Stored Cross Site Scripting - Feed Reader (browser://localhost/lst?*)
<?xml version='1.0' encoding="ISO-8859-1"?>
<title>browser security><img src=a onerror='alert(1);' ;></title>
<description>07/09/2008 - I have done some research in the area of browser security and presented this argument at the last OWASP NZ meeting.<img src=a onerror='alert(2);';>
<pubDate>Sun, 07 Sep 2008 12:00:00 GMT</pubDate>
Injection is possible in a single case: user views a malicious feed using Avant Feed Reader built-in component.
The Feed Reader is located at feed:// URI scheme (e.g. feed://localhost/browser/avent/rss.xml) Note that the URL of the feed has to be subscribed to be rendered under the feed: uri. Also, the feed:// uri scheme is mapped to browser://localhost/lst?domain.name/path/to/rss.feed.
This vulnerability can be defined as a traditional Stored Cross Site Scripting vulnerability. Although, the injection is rendered within an internal browser zone (mapped to browser://localhost/lst?domain.name/path/to/rss.feed ), invocation of privileged commands appears to not be possible as SOP is correctly applied to the browser:// zone.
Avant Browser - Stored Cross Site Scripting - Feed Reader (browser://localhost/lst?*)
14/03/2012 - Reception of report confirmed but no further reply
14/03/2012 - Chased them, no reply
03-05/2012 - 2 new releases following the report, one bug silently fixed
12/05/2012 - HITB2012AMS - bug disclosed during presentation
14/11/2012 - HackPra - bug and exploit module presented
Do not use Avant browser.