| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <27550198$10595331783f27317abd1216.25876744@config16.schlund.de>
Date: Wed, 30 Jul 2003 04:48:01 +0200
From: <ben.moeckel@...webmasters.net>
To: <bugtraq@...urityfocus.com>
Subject: [bWM#012] Passing script/html-filter with special chars (multibrowser)
ben moeckel security research - http://badWebMasters.net - security
advisories
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - -
badWebMasters security advisory #012:
Passing script/html-filter with special chars (multibrowser)
Discovery date: 2003-07-16
Author:
ben moeckel (http://distressed.de)
mailto: badwebmasters@...ine.de
Description:
When webbrowsers parse html they remove special chars,
this behavior may be used by an malicious user to fool
script/html-filters in webapplications.
Detail:
badWebMasters showed in their advisory #011 how to pass
the "Snitz Forums"-scriptfilter with the Tab-Char (09).
After "Opera" and "Mozilla"-users noticed that the
provided exploit didn't work on their system I decided
to start some new testings, with an amazing result!
To detect what kind of special chars can be used in html-
parameters I set up the following asp-page:
-------------------------------------------2.asp---------
<%@...GUAGE=JScript%><%
%><script>function a(o){alert(o)}</script><%
%><img src="javascript:a('test')" /><%
for(i=0;i<256;++i){
uc = "%"+chk(i.toString(16));
%><img src="ja<%=unescape(uc)%>vascript:a(<%=i%>)" />
<% }
function chk(sInp){if(sInp.length<2){
return String("0"+sInp)
}else{return sInp}}
%>
---------------------------------------------------------
The page has been viewed with Mozilla, Opera and Internet-
Explorer, the alert-box poped up in this order:
Mozilla 1.3.1 (Win32): 0 (with restricions)
Opera 7.11 (Win32): 0, 9, 10, 13, 173
Internet Explorer 5.0: 13, 10, 9, 0
Mozilla doesn't allow the window.alert()-method in "javascript:"-
images, so I had to use my own function "a()". It also returned
an error for char 9, 10 and 13: "Error: unterminated regular
expression literal".
Webmasters may be carefull with char 173 (ADh) that can be used
in Opera only.
And last but not least silly Internet Explorer: reversed order!?
Test:
http://badwebmasters.net/advisory/012/test.asp
Workaround:
This advisory adresses all webapps that use a badword filter,
make sure all control-chars are removed before badwords are
removed!
References:
badWebMasters advisory #011: Cross-Site-Scripting @ Snitz Forums
- http://cert.uni-stuttgart.de/archive/bugtraq/2003/04/msg00247.html
Feedback:
Comments, suggestions, updates, anything else?
-> mailto:badwebmasters@...ine.de
Source:
http://badwebmasters.net/advisory/012/ (text/html)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - -
Copyright 2003 by ben moeckel (Benjamin Klimmek) for badWebMasters.
http://badwebmasters.net
Powered by blists - more mailing lists