Hello Full-Disclosure!

I want to warn you about Cross-Site Scripting vulnerability in Ad Muncher.

In May I already wrote about universal XSS in Ad Muncher
(http://websecurity.com.ua/4202/), which allowed to conduct XSS attacks on
any sites in any browsers. Which existed in versions before Ad Muncher 4.71.
I didn't post about it to the list, because of my conversation with Vladimir
Dubrovin aka 3APA3A, who told me that it was not interesting for him in
particular (because it was already fixed hole).

This vulnerability allows to bypass protection filters of the program and
renew universal XSS in Ad Muncher. Details of previous universal XSS
vulnerability in Ad Muncher (about all nuances of its work), which is
similar to new one (both of them can be used for reflected XSS and Saved XSS
attacks), was described in above-mentioned post and in short was described
(on English) in article Local XSS (http://websecurity.com.ua/4219/).

-------------------------
Affected products:
-------------------------

Vulnerable are Ad Muncher 4.81 and previous versions.

----------
Details:
----------

XSS (WASC-08):

By default in Ad Muncher 4.71 and next versions the showing of current URL
in body of current page (in helper script) is turned off and at that
previous hole is fixed. But by using other attack vectors it's still
possible to conduct XSS attack when ShowURLInHelper option is turned on.

It's universal XSS. Reflected XSS and Saved XSS attacks are possible with
using of this vulnerability.

The attack is possible in the next cases (in any browsers):

1. At pages with UTF-7.

http://site/utf-7.html?--+AD4-+ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4-

At request to the page the code will execute automatically.

The attack can be conducted at any sites which have UTF-7 pages, or allow to
upload web pages to them (and in such way it's possible to set UTF-7
codepage).

2. At pages with any codepage except UTF-7.

http://site/utf-8.html?--+AD4-+ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4-

At visiting of the page it's needed to force victim to change codepage to
UTF-7 and the code will execute automatically. This attack is similar to
strictly social XSS in Mozilla and Firefox, which I wrote about in my posts
Cross-Site Scripting in Mozilla and Firefox
(http://websecurity.com.ua/1413/) and Cross-Site Scripting with UTF-7 in
Mozilla and Firefox (http://websecurity.com.ua/3062/). It's possible in
browsers Mozilla 1.7.x and previous versions, Firefox 1, Firefox 2 and
Firefox 3.0 and Firefox 3.0.1 (and other browsers, which allow to set UTF-7
codepage).

------------
Timeline:
------------

2010.05.25 - announced at my site.
2010.05.25 - informed developers.
2010.11.10 - Ad Muncher 4.9 was released, in which this hole was fixed.
2010.12.28 - disclosed at my site.

I mentioned about this vulnerability at my site
(http://websecurity.com.ua/4231/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua