lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 12 Sep 2007 00:35:28 +0900
From: "HASEGAWA Yosuke" <yosuke.hasegawa@...il.com>
To: Full-Disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: XSS using Atom feed in www.ibm.com

XSS using Atom feed in www.ibm.com

Abstract:
A XSS using Atom feed was in www.ibm.com (already fixed).
This XSS technique appears only by IE6, not appears on IE7 and Firefox.

Poc:
  http://www.ibm.com/fscripts/search/opensearch/search.fcgi/a.html?
  q=%2BADw-/title%2BAD4-%2BADw-script%2bAD4-alert(document.location)
  %2BADw-/script%2BAD4-&v=16&en=utf&lang=ja&cc=en&format=atom&startIndex=1

  When it accesses this URL over IE6, the script operates.

Details:
By adding the "format=atom" parameter, "Content-Type: application/atom+xml"
is returned as a response header.

Note that the charset is not given. This becomes the first step to the attack.

Next, IE6 cannot understand "application/atom+xml" as Content-Type.
This is the second step.

The third step, the original search URL in ibm.com is following:
  http://www.ibm.com/fscripts/search/opensearch/search.fcgi?q=....
Even if PATH_INFO is added as follows, it operates.
  http://www.ibm.com/fscripts/search/opensearch/search.fcgi/a.html?q=....
And IE6 judges the file type to be HTML by adding PATH_INFO  with
Content-Type cannot judged.

Therefore, IE6 interprets contents as a HTML encoded with UTF-7 and
the script included in the parameter can be operated.

Solution:
Now, Charset is added to content-type in this CGI like
as "Content-Type: application/atom+xml; charset=utf-8" and
moreover, "%3c" in "q" parameter is encoded to "&lt;".
As a result, injecting the script by UTF-7 is impossible.

There is another solution as follows.

When Content-Type cannot be understood, IE6 starts deciding
file type by the Content-Disposition header.
Then, it can be prevented from being judged file type as HTML
by PATH_INFO with adding Content-Disposition header such as:
"Content-Disposition: inline; filename=a.xml"

-- 
HASEGAWA Yosuke
    yosuke.hasegawa@...il.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ