lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: raz at chewies.net (Wayne Schroeder)
Subject: [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler?

At this point, I'm about ready to classify your email as flamebait.  I'm
not quite sure if you're not just yanking everyone's chain here. The
only issue that this could ever cause is if somone allowed un trusted un
escaped data into a javascript <script> tag set.  This of course is a
BadThing(tm) and is just another XSS vlun method.  It's not a vuln or
bug with any web browser.  You might as well blame them for being
standards compliant.  It is the job of the browser to stop parsing the
stuff inside the <script> tag when it hits a </script> no matter what.
It is the web app / cgi programmer who must make sure this does not
happen, not the browsers.  You might as well blame the browser for
allowing people to insert " or ' in a html tag such as a form input
value attribute.

Lets recap...

it's not any browsers fault or any javascript parsers fault.

The javascript parser only sees what is inside script tags.

Escape any data from untrusted source that goes to web browser.

To escape said text, depending on what the context is, lets say for the
sake of argument and example, a string constant in double quotes, all
you have to do is escape things that can cause issues with a \.

For instance... in perl.

my $data = "hey string</script><script>alert('PWNED');</script>";
$data =~ s/(\W)/\\$1/g;

now $data is the following:
hey\ string\<\/script\>\<script\>alert\(\'PWNED\'\)\;\<\/script\>

This string can go inside a javascript string constant and won't cause
the HTML PARSER to think it's the end of the javascript block. Some may
thing that \W is adding to many \ to the string but it gets the job
done.  You could use another char set like [^<"'\\] or similar if you
were anal about it.

You can't blame web browsers for the XSS issues that lacky web coders
allow.  I don't know what vendor you contacted but the only things you
mentioned were web browsers so I am guessing you contacted MS or the
mozilla team.  Don't be surprised when they don't consider it a browser
bug.

> fine! i am stupid then!

You said it, not me.

> YOU THINK I AM STUPID CAUZ I COULDN'T EXPLAIN YOU WHAT
> I MEAN!!!

Something tells me they used another metric... perhaps because you're
also fishing for jobs and scholarships with an 'advisory' that many
people have already tried to explain is not valid.  

On Fri, Oct 10, 2003 at 08:53:53PM -0700, bipin gautam wrote:
> fine! i am stupid then!
> 
> you will regret those words when you are using my
> exploit's to .....
> 
> hell search google! you will find a lot!
> http://www.google.com.np/search?q=%22bipin+gautam%22+hUNT3R&ie=UTF-8&oe=UTF-8&hl=ne&btnG=%E0%A4%97%E0%A5%81%E0%A4%97%E0%A4%B2+%E0%A4%96%E0%A5%8B%E0%A4%9C%E0%A5%80
> 
> YOU THINK I AM STUPID CAUZ I COULDN'T EXPLAIN YOU WHAT
> I MEAN!!!
> 
> -------------------------------------
> --- bipin gautam <visitbipin@...oo.com> wrote:
> > well... i've PERSONALLY tried it with IE 6 AND Opera
> > 7.11 and MOZILLa....... for windows!
> > 
> > well... for the other statistic i've been reported
> > by
> > friends/people like you!
> > 
> > it does work!
> > 
> >  
> > --------------------------------------
> > --- Florian Huber <florian.huber@...t-online.de>
> > wrote:
> > > On Fri, 10 Oct 2003 10:38:59 -0700 (PDT)
> > > bipin gautam <visitbipin@...oo.com> wrote:
> > > 
> > > > --- [Effected] ---
> > > It's spelled "affected" ;P
> > > 
> > > > All versions of "OPERA, MOZILLA and INTERNET
> > > EXPLORER"
> > > > available up to this, relese DATE!
> > > 
> > > Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a)
> > > Gecko/20030813
> > > Mozilla Firebird/0.6.1
> > > 
> > > Definitely _not_ vulnerable...
> > > 
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter:
> > http://lists.netsys.com/full-disclosure-charter.html
> > 
> > 
> > __________________________________
> > Do you Yahoo!?
> > The New Yahoo! Shopping - with improved product
> > search
> > http://shopping.yahoo.com
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.netsys.com/full-disclosure-charter.html
> 
> 
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ