[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] Bug in Internet Explorer security model when embedding Flash
- From: Guy Aharonovsky <guy@xxxxxxxxx>
- Subject: [WEB SECURITY] Bug in Internet Explorer security model when embedding Flash
- Date: Mon, 15 Sep 2008 12:04:18 +0300
--_004_F5B5EF8F78C0BC4BB417E1DBB9D7F7D071E25FFFjjex01jajahdubl_
Content-Type: multipart/alternative;
boundary="_000_F5B5EF8F78C0BC4BB417E1DBB9D7F7D071E25FFFjjex01jajahdubl_"
--_000_F5B5EF8F78C0BC4BB417E1DBB9D7F7D071E25FFFjjex01jajahdubl_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Taken from my blog:
http://blog.guya.net/2008/09/10/bug-in-internet-explorer-security-model-whe=
n-embedding-flash/
Update: I've posted a real world example of this bug being exploited<http:/=
/blog.guya.net/2008/09/14/encapsulating-csrf-attacks-inside-massively-distr=
ibuted-flash-movies-real-world-example/>.
This one has the same behavior on IE6, IE7 and IE8 betas.
I have only tested this with Flash swf files, but it's likely that this sec=
urity is applied and broken the same way, when navigating to different type=
s of files.
When loading Flash file (swf) directly inside the browser without an html p=
age container, for ex: http://example.com/game.swf , most browsers create a=
n html page automatically and embed the swf inside it. FireFox and Google C=
hrome, for that matter, automatically create an embed tag with some default=
values, and IE uses this mshtml script (res://mshtml.dll/objectembed_neutr=
al.js<res://\\mshtml.dll/objectembed_neutral.js>) to load the object.
The fact that this automatically created embed tag doesn't mention the allo=
wscriptaccess property it's defaulted to samedomain. This way the swf file =
can script the automatically generated html page it resides in, using Exter=
nalInterface<http://blog.guya.net/2006/06/19/understanding-flash%E2%80%99s-=
externalinterface/>, leading to a major security flaw. I will post about a =
real world example of this security flaw, shortly.
Internet Explorer, rightfully, consider this generated page as less secure =
and as such restrict access to the JavaScript document object. It's prevent=
ing from the embedded swf to script the DOM of the page.
Just test it, go to any swf file<http://www.google.com/search?q=3Dfiletype%=
3Aswf> on the web using Internet explorer, then run this script in the addr=
ess bar javascript:alert(document); you'll see the error "Access is denied"=
. Touching the document is prohibited!
[cid:image001.png@01C9172B.2E538D70]<http://blog.guya.net/wp-content/upload=
s/2008/09/error-access-denied.png>
But, all that is needed to compromise this security feature in IE is to rel=
oad the page. That's it, just reload the page once by pressing F5. Run the =
script again javascript:alert(document); you'll see the precious document a=
nd no error will be thrown.
Since most of the other javascript objects are still available and among th=
ese is the window native object. A swf file, for example, can reload the pa=
ge on its own using window.location.reload() and then will be able to bypas=
s the restriction and freely manipulate the page.
This script can run from inside the swf using ExternaInterface.call("eval",=
"script"); If the "try" clause fail it's probably an IE browser and the pa=
ge will reload immediately without the user noticing. The 2nd time the page=
loads the "try" clause won't fail.
JavaScript:
1. try{
2. $d =3D document;
3. //Mess with the DOM
4. }catch(ex){
5. window.location.reload();
6. }
I was impressed that Microsoft implemented such a security feature as oppos=
ed to FireFox, Chrome and others who don't have a similar restriction. but,=
it needs to be done right otherwise it misses the point.
As I said, I'll post a real world example of this being exploited, soon.
Call me free at: http://jajah.com/guy
Visit me at: http://guya.net<http://guya.net/> & http://jajahdevblog.com/gu=
y
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************
--_000_F5B5EF8F78C0BC4BB417E1DBB9D7F7D071E25FFFjjex01jajahdubl_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" xmlns:p=3D"urn:schemas-m=
icrosoft-com:office:powerpoint" xmlns:a=3D"urn:schemas-microsoft-com:office=
:access" xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s=3D"=
uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs=3D"urn:schemas-microsof=
t-com:rowset" xmlns:z=3D"#RowsetSchema" xmlns:b=3D"urn:schemas-microsoft-co=
m:office:publisher" xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadshee=
t" xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" xmlns=
:odc=3D"urn:schemas-microsoft-com:office:odc" xmlns:oa=3D"urn:schemas-micro=
soft-com:office:activation" xmlns:html=3D"http://www.w3.org/TR/REC-html40"; =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/"; xmlns:D=3D"DAV:" xmln=
s:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml"; xmlns:ois=3D"ht=
tp://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir=3D"http://schema=
s.microsoft.com/sharepoint/soap/directory/" xmlns:ds=3D"http://www.w3.org/2=
000/09/xmldsig#" xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp"; =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc"; xmlns:xsd=3D"http://www=
.w3.org/2001/XMLSchema" xmlns:sub=3D"http://schemas.microsoft.com/sharepoin=
t/soap/2002/1/alerts/" xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#"; xmlns=
:sp=3D"http://schemas.microsoft.com/sharepoint/"; xmlns:sps=3D"http://schema=
s.microsoft.com/sharepoint/soap/" xmlns:xsi=3D"http://www.w3.org/2001/XMLSc=
hema-instance" xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile=
" xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/"; xmlns=
:mver=3D"http://schemas.openxmlformats.org/markup-compatibility/2006"; xmlns=
:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; xmlns:mrels=3D"http=
://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t=3D"ht=
tp://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m=3D"htt=
p://schemas.microsoft.com/exchange/services/2006/messages" xmlns:Z=3D"urn:s=
chemas-microsoft-com:" xmlns:st=3D"" xmlns=3D"http://www.w3.org/TR/REC-=
html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.langname
{mso-style-name:langname;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1112091511;
mso-list-template-ids:77266720;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p><strong>Taken from my blog:<o:p></o:p></strong></p>
<p><strong><a
href=3D"http://blog.guya.net/2008/09/10/bug-in-internet-explorer-security-m=
odel-when-embedding-flash/"><span
style=3D'font-weight:normal'>http://blog.guya.net/2008/09/10/bug-in-interne=
t-explorer-security-model-when-embedding-flash/</span></a><o:p></o:p></stro=
ng></p>
<p><strong>Update</strong>: I've posted a real world example of <a
href=3D"http://blog.guya.net/2008/09/14/encapsulating-csrf-attacks-inside-m=
assively-distributed-flash-movies-real-world-example/"
target=3D"_blank"
title=3D"Encapsulating CSRF attacks inside massively distributed Flash movi=
es - Real world example">this
bug being exploited</a>.<o:p></o:p></p>
<p>This one has the same behavior on IE6, IE7 and IE8 betas.<o:p></o:p></p>
<p>I have only tested this with Flash swf files, but it's likely that this
security is applied and broken the same way, when navigating to different t=
ypes
of files.<o:p></o:p></p>
<p>When loading Flash file (swf) directly inside the browser without an htm=
l
page container, for ex: http://example.com/game.swf , most browsers create =
an
html page automatically and embed the swf inside it. FireFox and Google Chr=
ome,
for that matter, automatically create an embed tag with some default values=
,
and IE uses this mshtml script (<a
href=3D"res://\\mshtml.dll/objectembed_neutral.js"
title=3D"res://mshtml.dll/objectembed_neutral.js">res://mshtml.dll/objectem=
bed_neutral.js</a>)
to load the object.<o:p></o:p></p>
<p>The fact that this automatically created embed tag doesn't mention the <=
strong>allowscriptaccess</strong>
property it's defaulted to <strong>samedomain.</strong> This way the swf fi=
le
can script the automatically generated html page it resides in, using <a
href=3D"http://blog.guya.net/2006/06/19/understanding-flash%E2%80%99s-exter=
nalinterface/"
target=3D"_blank" title=3D"Understanding Flash ExternalInterface">ExternalI=
nterface</a>,
leading to a major security flaw. I will post about a real world example of
this security flaw, shortly.<o:p></o:p></p>
<p>Internet Explorer, rightfully, consider this generated page as less secu=
re
and as such restrict access to the JavaScript <strong>document</strong> obj=
ect.
It's preventing from the embedded swf to script the DOM of the page.<o:p></=
o:p></p>
<p>Just test it, go to <a href=3D"http://www.google.com/search?q=3Dfiletype=
%3Aswf"
target=3D"_blank" title=3D"Google - FileType: SWF">any swf file</a> on the =
web
using Internet explorer, then run this script in the address bar <strong>ja=
vascript:alert(document);</strong>
you'll see the error "Access is denied". Touching the document is
prohibited!<o:p></o:p></p>
<p><a
href=3D"http://blog.guya.net/wp-content/uploads/2008/09/error-access-denied=
.png"><span
style=3D'color:blue;text-decoration:none'><img border=3D0 width=3D435 heigh=
t=3D121
id=3D"Picture_x0020_1" src=3D"cid:image001.png@01C9172B.2E538D70";
alt=3D"Error_Access_Denied"></span></a><o:p></o:p></p>
<p>But, all that is needed to compromise this security feature in IE is to
reload the page. That's it, just reload the page once by pressing F5. Run t=
he
script again <strong>javascript:alert(document);</strong> you'll see the
precious <strong>document</strong> and no error will be thrown.<o:p></o:p><=
/p>
<p>Since most of the other javascript objects are still available and among
these is the <strong>window</strong> native object. A swf file, for example=
,
can reload the page on its own using window.location.reload() and then will=
be
able to bypass the restriction and freely manipulate the page.<o:p></o:p></=
p>
<p>This script can run from inside the swf using
ExternaInterface.call("eval", "script"); If the
"try" clause fail it's probably an IE browser and the page will
reload immediately without the user noticing. The 2nd time the page loads t=
he
"try" clause won't fail.<o:p></o:p></p>
<p class=3DMsoNormal><span class=3Dlangname>JavaScript:</span> <o:p></o:p><=
/p>
<ol start=3D1 type=3D1>
<li class=3DMsoNormal style=3D'color:#3A6A8B;mso-margin-top-alt:auto;mso-m=
argin-bottom-alt:
auto;mso-list:l0 level1 lfo1'><b><span style=3D'font-family:"Courier N=
ew";
color:#000066'>try</span></b><span style=3D'font-family:"Courier New";
color:#66CC66'>{</span><span style=3D'font-family:"Courier New"'><o:p>=
</o:p></span></li>
<li class=3DMsoNormal style=3D'color:#26536A;mso-margin-top-alt:auto;mso-m=
argin-bottom-alt:
auto;mso-list:l0 level1 lfo1'><span style=3D'font-family:"Courier New"=
'>$d =3D
document;<o:p></o:p></span></li>
<li class=3DMsoNormal style=3D'color:#3A6A8B;mso-margin-top-alt:auto;mso-m=
argin-bottom-alt:
auto;mso-list:l0 level1 lfo1'><i><span style=3D'font-family:"Courier N=
ew";
color:#009900'>//Mess with the DOM</span></i><span style=3D'font-famil=
y:
"Courier New"'><o:p></o:p></span></li>
<li class=3DMsoNormal style=3D'color:#26536A;mso-margin-top-alt:auto;mso-m=
argin-bottom-alt:
auto;mso-list:l0 level1 lfo1'><span style=3D'font-family:"Courier New"=
;
color:#66CC66'>}</span><b><span style=3D'font-family:"Courier New";
color:#000066'>catch</span></b><span style=3D'font-family:"Courier New=
";
color:#66CC66'>(</span><span style=3D'font-family:"Courier New"'>ex</s=
pan><span
style=3D'font-family:"Courier New";color:#66CC66'>){</span><span
style=3D'font-family:"Courier New"'><o:p></o:p></span></li>
<li class=3DMsoNormal style=3D'color:#3A6A8B;mso-margin-top-alt:auto;mso-m=
argin-bottom-alt:
auto;mso-list:l0 level1 lfo1'><span style=3D'font-family:"Courier New"=
'>window.</span><span
style=3D'font-family:"Courier New";color:#006600'>location</span><span
style=3D'font-family:"Courier New"'>.</span><span style=3D'font-family=
:"Courier New";
color:#006600'>reload</span><span style=3D'font-family:"Courier New";
color:#66CC66'>()</span><span style=3D'font-family:"Courier New"'>;<o:=
p></o:p></span></li>
<li class=3DMsoNormal style=3D'color:#26536A;mso-margin-top-alt:auto;mso-m=
argin-bottom-alt:
auto;mso-list:l0 level1 lfo1'><span style=3D'font-family:"Courier New"=
;
color:#66CC66'>}</span><span style=3D'font-family:"Courier New"'> <o:p=
></o:p></span></li>
</ol>
<p>I was impressed that Microsoft implemented such a security feature as
opposed to FireFox, Chrome and others who don't have a similar restriction.
but, it needs to be done right otherwise it misses the point.<o:p></o:p></p=
>
<p>As I said, I'll post a real world example of this being exploited, soon.=
<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal><i>Call me free at: <a href=3D"http://jajah.com/guy";>h=
ttp://jajah.com/guy</a><o:p></o:p></i></p>
<p class=3DMsoNormal><i>Visit me at: <a href=3D"http://guya.net/";>http://gu=
ya.net</a>
& <a href=3D"http://jajahdevblog.com/guy";>http://jajahdevblog.com/guy</=
a><o:p></o:p></i></p>
<p class=3DMsoNormal><o:p> </o:p></p>
</div>
</body>
</html>
<BR>
<BR>
<BR>
<BR>
************************************************************************************<BR>
This footnote confirms that this email message has been scanned by<BR>
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.<BR>
************************************************************************************<BR>
<BR>
<BR>
--_000_F5B5EF8F78C0BC4BB417E1DBB9D7F7D071E25FFFjjex01jajahdubl_--
--_004_F5B5EF8F78C0BC4BB417E1DBB9D7F7D071E25FFFjjex01jajahdubl_
Content-Type: image/png; name="image001.png"
Content-Description: image001.png
Content-Disposition: inline; filename="image001.png"; size=6016;
creation-date="Mon, 15 Sep 2008 12:04:19 GMT";
modification-date="Mon, 15 Sep 2008 12:04:19 GMT"
Content-ID: <image001.png@01C9172B.2E538D70>
Content-Transfer-Encoding: base64
iVBORw0KGgoAAAANSUhEUgAAAbMAAAB5CAIAAAA8i1i2AAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAgY0hSTQAAeiYAAICEAAD6AAAAgOgAAHUwAADqYAAAOpgAABdwnLpRPAAAAAlwSFlz
AAALEgAACxIB0t1+/AAAFulJREFUeF7tnXlsHNd9xxUkLooEqI20DhI7RWpbdiRZtiyJpGRJTqSk
cGO7BuImSOJDlhLVkp3UrYHYKdL+0aKNrH/awkX/aIvqCK8ll6dIStYNkTpI8SYl674oci8ub5ES
dXr7ezO7s7Nz7ZvZndnZ3e/gh9Vw5r3fe++77330ezOzb74QiUTmYIMCUAAKQAG5AkRGbFAACkAB
KCBXYA7kgAJQAApAAYUCICO6BBSAAlBAqQDIiD4BBaAAFAAZ0QegABSAAskUQMyYTKEMni8vj6xa
RY8OwKAAFEi/AjS4aIjpbCBjBslnWDR9Z2AiFIACdiugA0eQ0a1kRLRo95CAfyhACtBA09pARreS
MdZrJ7FBAShggwLxORnI6FYKan4z0cuLNnQJuIQCUGASZMwmHsbripgRgxcK2KkAyAgy2tm/4BsK
ZKcCICPImJ09F7WGAnYqADKCjHb2L/iGAtmpAMgIMmZnz0WtoYCdCoCMIKOd/Qu+oUB2KgAy5iYZ
f48NCkCBFBQAGUHGFLoPskKBHFUAZMxlMr6HDQpAAUsKgIwgo6WOg0xQIKcVABlzn4zZeQUctYYC
mVQAZAQZM9n/UDYUcKcCICPI6M6eiVpBgUwqADKCjJnsfygbCrhTAZARZHRnz0StoEAmFQAZQcZM
9j+UDQXcqQDImH9k7NlSVLSlx539EbWCAu5QAGTMezKmGZTV6+esr3ZH50YtoIBlBUDGvCej5b6j
zEiInSNsIGPaNIWjTCkAMuY9GcWYUfjcsl5EW4xtEuvmSNPvpCFh0gSZ6uooFwqYUABkBBljZJQD
kZFQNs02MeMGGU0MPyR1rQIgI8gYjxmjt2WkKDIaQYr/cN61ARldO9hRMRMKgIwgowEZLVwxBBlN
DD8kda0CICPIqENGNpuWX3DkpCTI6NrBjoqZUABkzEsyyqfJRbRF78AkzKZZLyLMKabSScGXNIGJ
3omkUCBTClgiY3l5ZNWqeM7YW+FxxKICJCZJamqLaa7Xb8SFlsUF9JztWyCjs3qjNHsUME9GGsNA
oR0KmIKje8loTz+FVyjgrALmyYho0Q4skk8Sln8DGZ0dJygt3xQwT8bYmFy26rv+8GjFvubKAy1V
h9qqD3dc9IXf3vh3NIkbwmZGAePvQJuWIGO+jVS011kFUiDjyhf84RHPpwcq9x2qOnik+lDrxaHQ
2o3v88c9SBlVQApC+RUBGZ0dJygt3xSwTsaiFSv8w6GypsbyXbsq9h6s3Nt8YTDw1ju/+k9sJhVA
zJhvow7tdb8C1slY+PxyXzBQXFdd2lDn2b3Hs+fA+UHfW3/9S/64BykRM7p/hKCG+amAdTIWLC8a
Cvp3VHuK67xlTU1lu/acGxh6c8O7NNqnxsZg/Ao4HzPGV4oQfytt4mfRSYcJntpJKhESZIEC1sm4
dFnhUMC3vapkR62nuKG+pGnXuYHBNzZsAhn5mSimdJiMDIvx30CzZ7nXb0nLWrZYhSwLBjyqyKmA
dTIuWVYwGBja6i3eUeMp3llf0sjIqI4Zm/W3w4cPT09NmeVI7qV3loxa8SFiRs7hgmR5o4B1Mi4u
KrjmH/qfiuKt1Z7t9fXFjbuF2fR7ipiRwHjv7t179+7ev3+P7PPP75PRn/TZ0dGxf//+keFQ7sHO
VIscJaMmBLUWZ5R+GBhdrpGlWb+erU1L82+DKTNm03kDj5xuaCpkLLzm9/1vZfnWGu+OxqaS3fvO
XfO9KdyBkXOBAsO7d++o4UhkPH78+M2bNw8cODAcDJpCSY4ldgUZlYszynp9fFEynoXIQMacBkbe
NM46GZcsWz4YDG6rqycslu454NnXcmEw9NbGv1GQ8dChQ3fu3J4a6en0Ptxd9/Xp0V4pcqSAca+w
0U6Owc5Uc1xBRgl6UlApv02jWHLCaHiAjHkDj5xuaApkXL5iMDi8feenO5r2lu1tqTjYdnFoeO3G
v1WQ8eDBg3du3zrbvM7fXzh8YeW55vXyaXXA7x+4elVFRm9siRdh5X1vjt/pdpSMmveh5VPs6D4B
LgZL2esQON44CDLmNDDypnHWyViw8ju+8Gjp3hbP/mPew53VLX2X/KNvv/uBgoyMeuHe7pqHI5E3
IpG1/Q2PTI+eFOEoBY8UNiYGWUTGwi1dOQ5EqcnOklFYdtHg3nScjLEFGUVI8t6lARnzBh453VDr
ZCx6YY1/ZKLyUFfV4b7aY5/Vt567HJxY996vFWQk6p3e98OpSyvqatbU1a6eubbqzIG/Yjdk7oGM
UfQ7TEbqz0bPM8YIKE+jIiPuwOQ0FdC4yckUyPid7/tHp7wtJ6uPnq5vPb/zxKXLoSkNMjb+d3/9
1yORN7/wxQfmzPliJPJ6f+OjUyO9cjju3r07WczIosj16wrnzFlXMybfH5vq2hx9l2d83p2YQHrs
XCflls3roquzbu7SqIY36r8odrYmmpzq4o2mj3ku2rw5Hu3Gi6M6G8W/qazqpteHM7c+I0YVFMgF
BayTcfnqvwiOz9SfuLKz/Wpj52BTt+/K8PS6X36kiBlbypcETxVGIj//8lce+PJXvkSIDJ0q6N+1
ht2wZpEje5qnqalJhSRp1WkRK+zKY4xNyv3ohUhGInEOLk8gIYkd1EwZBZyXgKdAmHC5s3BzL1Ug
7lzuMF6c6Ll3M7FbOhi7IOBdJ1FV884MyJgLIwltyC0FrJPx+TU/CE3cbOgcbOwcaur27+oJXB2e
Wfer38jJ6Dtb29Pwp/en/zIS+dHSJQ8VLP6jSOTVe+N/3tfw6Oi1T0U4kjU0NPDEjLErj7KrkAxY
cZxRNCcQSusyZfKU6lwJR2LOx6YYQ8VNYB95FukZJXjsoPyNAlJ0qRU8goy5NabQmlxQIAUyfu/l
0ORsU0+gqSe4qzdEdiV84+1EMvbtfjHY++y9wMpIsOhq68KBtmcioeX3AysD3c/07Xnp7p3b4qOO
tbW1ridj15ZCAbtxwtIRYzImmURr3IExvyYuZtO5MArRBvcpYJ2MK77/yvDUrV194d19w6IpyOg7
U/3Zrm/ePD1/tv+xyOVvPfnYA0/92R9Ghp66fXbezTNPn2p6dGSgiR51JDjW1NRYJKMwcZbNkaWp
t/rWdtKUmjFjbAovAZECRuX8Ou45cTYtTf8Tw0lV2IiY0X3jAjXKdwWsk/H5770SmrzV2B0iaxDs
Umhm7Xvx64y9Dc9e73480v/IvY4/iZx+eMOrD2x49Q8i579xv++RyMlvjrd/q6/xOXrUkeC4bds2
/euMIl/k2EpEWPxGh0RDnYd+kqTUnk0Lt33kj1Wy4FGYSa9bL8aMRLrY/FrnDox4r0b3USSQMd9H
IdrvPgWsk3HZmpeDE7M1HQGy6nY/2YXg9BubPpSuM7Z5vtZS8rWWbQ81b3uwZduD5+q/erb+q+zP
7Q81b32weccft3oevn1rluD4ySefmPrRiFOJzT9WmXg1k7OeTpMx4XkcAfq0EFn6NnKYPmdJPPGX
ld6U/N4ckwIFpVeBFMi4+qXAxGxVu1+y84Hrr29SPs/48ccfX5+cpDV1pq9PzVy/PjM9fWNm+uaN
mdkbN2Zv3rw1O0twpDScEHE2mWkysgd64ndjeJ9Ud/p5Rt5nti32NHdSI721Sq83i0Ijm50KWCdj
4eqX/OOz5a1+yc76p3+6UUnGf+DbnEUeJ7M4yRibX7Pwi/eui7y9uURGERkuBEd6q5Reb3YOcPi2
qIB1MhZ89yXf+GzpMZ9kZ/zXf/KOkoyuRB4nGR1KlnkyxlcYo6dGY0uNxSfdwmybbxUyTTJKzy9J
nZT/iCKLoptLhBIdqgeB/NEp8ayiaKnCcleaKeV5QUaLvMmebNbJWLj6ZYoZPW1BsvLWAJkQM8av
M4KJnApkgIxyYNBlRumn1PHfVLM98fpjdC/x59aaPVzOCzVopFhSnczgiAK1CiTxnJUwpwhm9Zio
hrvekewZ5qipaQWsk7Fg9cu+8VtlbSHJzvhnfiKQEZs5BRx+q6r6OqN85TFxsQn16jscVyeTklEO
KXlXTQB1LPTThKBBzKgZMMpDTkXQZ0xAdZU0W2d6wCFDlihgnYwUM14bm/W0h0SraA/1D03/2/9V
/mzTRzBTCmQgZlQsQZs+MmrOXvVwpsCWMdoUEZ8asuoZrnFwqudBTUyesrJkvKOavAqkQMY1rwyM
3a5oHyar7Ah7O8KHz02e9M2cD90wZedCN5gFyWaYBYRPZsJB9qd4lsMosVU7G5g5G5g2tnOBabKE
NP7rZ5U2rToiT0NnleZGMsbm0AmzacMlvfXAZGrurJ5x88yXNWfuenNndRSpeYSn2ryDDOmyUAHr
ZHztxz8t6bzQcHrMc4LgGK7sGPF2jFR1jlZ1jVZ1j1YnWlXXiJ55OykveQh5TjAro0uWdOGSXb6k
P4c9RN6O4UohjZfbKgnWMqs4EUpqrHTxmmn0sildPKX9gEe0E0GyCsHYvnCQzpYd95Ud9zOT3aOn
/aipzwq5oj5jOxkgY+Jckd100ZxEi8nUp7TeA2MQskmlyRkkHkx6RJHAYDatroBi+iyFfvKiDQho
UG29uDILCYAqaytgnYw//NGP3//37VWXJvZ/NkE0rO4eI6vpkWy0pnskZqM1Pcxqe8dq+8bq+sZF
qxd3ekdre0aqu4arOhn7CJGiMRR2hau6wtVixt6xmt5Rslr6ZN5GmHWHqymBkLdK+KR9dqR7pLo7
HC29Z4T8i0bp9YxyVXWGyLwdocp29ilZZXswaieEHcbHQOWJAH162nyJ5ve0SeYrb2Vn6ZPtiCak
rxDSVJyImtNkxFiAAlAgmQLWybj2F+8sfeEH/9V2wXt24sCZydqesdpuYtwoY1PHcBWhjeGDBVmE
GAIccaqul6FwZ99Ew8lJskb67J/YSawkMhIW24MVFFK1+j3MiDuUkXgXJhTW9Y3V94+LtpM+6U+B
pzWsrJCXSmkTUEWf7cGqDsZHKo4qU9c7xhL3jVEpolFGTaslmBJYCY5ERqHOVB/yzJy3+ipahyoI
aseHaL/8+FDZsUHxs+zoNbLSI1dLBCs9OlBKf9LBY4MlRwbEg8UtV5g1Xy4ha7lCJqRnZ1neowMg
Y7JeivNQwGkFrJNx06//9ZXX3lzziw9+e/z87z4Lbz05Wts1QowTaVXdQUzxeU/4K4XPqo5gTVeo
rjtc1xOu7x3Z2Tcatd5wXXeopjNY2TbkOTZAyGAEablKRtSgwKqSMlKWvpGGk2ONpyYaT403nRpv
PDnW0DdS3xsmnzXtfiqIyEUeKtro01fVERCKG67tHq7rHq6n7KL1hnf20s5wPR0UTlHRklEdvG0+
MvLgaR2kT2atQ3SkovVaZetgReug5/gA7ZcfGyg7cqX86FX6LG25XNpyqbT5YknzpeLDF+izpIXq
f7n0CBGQUEh/XiphZy8WN18QErB9dlw4JWS/DDI63etRHhRIpoB1Mn70m395Z+2GV197fekLL/7s
P37/4qfdC099DrOgAMiYrJfiPBRwWgHrZPznD//x73/7u/c//Kefv/tB0fMraYGJBYuXz1tU9NTC
JU8+vZhs7oLnnliw+An2+dzcBYvnPk3HlzxJZxcueWrhUsHY/lyWkiV7fP6ix+ZF7fF5i56Yz7LP
pcTPFDz1bMG3ny2ct4jZ/EVFbIcdKSAnkgfBCfPDHJIJzllZz4hlLWU7ChPqIFrUj5h3wWL2J2uI
8rhYVaFugtHOfKrqIqp8zMSz0YZHk7GULJlklFjaBxmd7vUoDwokU8A8GVetSmVtGOTVVYCE5d9i
D4frfb94D0yyno/zUMBIAfNkLC8H3WxRgITl31Ijo/LdgcZjhOPXL6IDeqNgdEvvumYYwlDAcQXM
k5FGL41hRI7m30xgFC2awiJ9BSmQUeN908brM3KSMZ6MM4PjnR0FQgFuBSyRkT+0QUqbFLBORvPY
4swhewe1weuouXsmEkKBTCoAMtqELpvdWiajHuYUa45Rn5RPuaWfwURny9LvBOMMVK9Bkcl+jbKh
QGoKgIw2I8wm92kmo2rNMdnvptnlQ0ZCGfq08AoypjYSkdtdCoCMNqHLZrfpJaPxmmPiWXkIGf81
dbw3g4zuGtmoTWoKgIw2I8wm95bJmLDyYqzv8JLR8JYzrjOmNhSR21UKgIw2octmt9bJKMyT4+uJ
sSdtxEW9E1bwVqxCFp1Nx94yGE8u68y4N+2qkY3KpKYAyGgzwmxynwIZFTdXonGgNFmWoBk/UhRd
oyz+wKLGHRhyi+cZUxuMyO0iBUBGm9Bls9vUyOiiDoiqQAFXKgAy2owwm9yDjK4cTqhUzigAMtqE
Lpvdgow5MwTREFcqADLajDCb3IOMrhxOqFTOKAAy2oQum92CjDkzBNEQVyoAMtqMMJvcg4yuHE6o
VM4oADLahC6b3aZERsWCD7E/lb9ykT29aPg+VWkwaL69z8JQUfhJl1tTNUlLoWlxolltC54tZDGl
mKnEZitjNr1BZThdgYw2I8wm9zaRUU5A6cltzrV2JieNX6zKP3JAxqRacQ5vuR+eLDxpktaNJ4Fj
BSkqw18uyGgTumx26wAZpZdKg4w8Y10rDf84NFuCBc88WXjSmK1qumJeh8sFGW1GmE3uHSCjUcyo
vQCj9H56aYCJi5ZRn1bsSH+KpwxCG7krMZniiF4Cg4zy6b+8JlI95bXVLFSeUkqgaLWijeqzclkU
OnCKpimjPK86gV57DVqhRpLoRP7FKY7I/1SkVHyDio6h99VIjVKIpug5PL1F0d/0gAsy2oQum93a
REapR7Od2PoRZmJGTmwpcJMRMioGth6b9MgoH8NqXstzcWpiUB/NU8ZuTWWR6q8mi/F/XXJgGTRZ
U1tN0dTY0mOiIqUFkfWYKB4HGW1GmE3ubSJj/DqjbNEIM2RMygv1iOXBomLoKkaLqbPqqEQetmjW
X12cFLmo82o20PggP1/UCNODminuWyaj+n84RVsMgjhjMsr/jzZotV7nMe4hxkwEGW2CliNuUyJj
Iur0Zs3SjDl3yagYIXo00RtmxlGS2UDJbMxo/J9QVpPR+ItQ41ghRdL/KUFGRyCVkUJSIqN0b0Xo
IboElD3NY/6pnaSxgwIcSf/UA42F40kjHc1wxvigwTzU7ESPJw7VC0J5qsEfeGoyyBRz9dqu8GyQ
TDNgN+gtBgqocxkgErPpjIAt5UJTI2PCS17ky44lEDA2oVY858guPxrdgUna6aWJkl5KvaBAbyZu
6rgisYQhqVC96qkRLE+p6VY+Sg3mlepk6v9XeGqVtA6asZVaAYUUmv+R6OmW9NuXw8hYE7W8SaGc
tCfIExhHjiBjypDKiINUycgzn7AlDX/XtKX47HTKKZoeF7Kz0RmuNciYEbClXCjImOGB42jxScmo
iOBMTRsdbUn2FAYypgypjDjIWjJmz9BATfNaAZAxI2BLuVCQMa+HLRpvuwIgY8qQyogDbjLa3oNQ
ABTIRQVAxoyALeVC+ciYcjFwAAXyVYHYENNs/5x8VcX17eYgo+vbgApCARcrADK6+MvRr1oyMubi
/AZtggLOKYDZdFaCUfranOspKAkK5JMCICPImE/9HW2FAnwKgIwgI19PQSookE8KgIwgYz71d7QV
CvApADKCjHw9BamgQD4pADKCjPnU39FWKMCnAMiYnWRctSr+zUkPXmEHCkCB9CpAA01rw5PebuVm
eTnICAWggO0K0EADGd1KQZ160XeGyDG9AQK8QQFJARpcOlikAYmYMctoiepCASjggAIgowMiowgo
AAWyTAGQMcu+MFQXCkABBxQAGR0QGUVAASiQZQqAjFn2haG6UAAKOKAAyOiAyCgCCkCBLFMAZMyy
LwzVhQJQwAEF/h/5TkrGBcTh2QAAAABJRU5ErkJggg==
--_004_F5B5EF8F78C0BC4BB417E1DBB9D7F7D071E25FFFjjex01jajahdubl_--
Brought to you by http://www.webappsec.org
Search this site
|