lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20031010121349.GA12584340@ohm.arago.de>
From: full-disclosure at arago.de (Thomas Binder)
Subject: !A stupid bug ...that works on mozilla, opera, IE!

Hi!

On Thu, Oct 09, 2003 at 06:04:00PM -0500, Wayne Schroeder wrote:
> I don't know sport... I think you need to double check your "'s
> and look again.  Javascript console is just bitching on my
> mozilla saying that the alert function isn't finished with a )
> correctly.

Also note that using the sequence </ within a <script> block will
be treated as end-of-script. Quoting from
http://www.w3.org/TR/html4/types.html#type-cdata:

-- snip --
Although the STYLE and SCRIPT elements use CDATA for their data
model, for these elements, CDATA must be handled differently by
user agents. Markup and entities must be treated as raw text and
passed to the application as is. The first occurrence of the
character sequence "</" (end-tag open delimiter) is treated as
terminating the end of the element's content. In valid documents,
this would be the end tag for the element.
-- snap --

Thus, even with correct quotes, the JavaScript code will be
considered finished at the first </script>, even though it's
within quotes (the browser must not interpret the script code when
looking for the end tag). The remaining

")</script>

is then displayed as

")

in the browser window. Note that it gets displayed in the
document, not in an alert box (which the original post was
suggesting).

Furthermore, you'll get a JavaScript error, as the actual script
code seen by the engine is

alert("<script>location.href="http://www.ysgnet.com"

which is invalid - so no alert box at all.


Ciao

Thomas


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ