lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 25 Apr 2005 01:05:21 -0300
From: Nicolas Montoza <xonico@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com,
	news@...uriteam.com, bugs@...uritytracker.com,
	submissions@...ketstormsecurity.org, vuln@...unia.com
Subject: Possible XSS in User-Agent


Analyzing User Agent does not make filters of anyone type, being able
to inject xss or HTML.

POC
===

let us suppose that the page we visit has the navigatorĀ“s check

You are sailing with Mozila Firefox....

In php, this simply is

<? echo $HTTP_USER_AGENT ?>

then we install any kind of soft which allows us to modify the user
agent,  in mozila _firefox you could use this plugin

https://addons.update.mozilla.org/extensions/moreinfo.php?id=59

Example:

USER AGENT: <h1>Soulblack</h1>
USER AGENT:<script>alert('SoulBlack')</script>

it works correctly :).

The logfile of apache ;

127.0.0.1 - - [23/Jan/2006:14:54:02 +0000] "GET /favicon.ico HTTP/1.1"
404 283 "-" "<script>alert('SoulBLack')</script>" "-"

the tests were made with php and apache.

The bug could be in php, or in the protocol , we have not even probe
in another language like asp , etc ...
if the bug resides in the protocol, the model of control of user agent
could  be   [a-z][0-9] .

Any suggest or comment?

POC created by Soulblack Group.
www.soulblack.com.ar

--
 SoulBlack - Security Research
 http://www.soulblack.com.ar

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ