lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: visitbipin at yahoo.com (bipin gautam)
Subject: [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler?

--- [Effected] ---
All versions of "OPERA, MOZILLA and INTERNET EXPLORER"
available up to this, relese DATE!
--- [Proof of concept] ---
We have made a small script. Check it out,
http://www.cyberdude.com.np/javascript.htm
--- [Bug Details] ---
********************************************
<html>
<body>
<p>THIS IS hUNT3R aka: Bipin Gautam</p>
<script>alert("<script>location.href="http://www.ysgnet.com"</script>")</script>
</body>
</html>
********************************************


<html>
<body>
<p>THIS IS hUNT3R aka:Bipin Gautam, exploit revised by
Cyberdude</p>
<script>
document.write("<b>hUNTER &
Cyberdude</b></script><script>alert("it works 1");
alert("This works 2");
</script>
</body>
</html>

*********************************************
--[Description]---
The browser is letting you compile some-thing inside
the alert function. Well, its should show it anyways
without compiling the script tag as it is inside the
quotation. But surprising, the output is different! We
found JavaScript compiler choked when we use the
<script> tag inside a function like alert(); this also
proves to be true for document.write(); function. This
means that this script is going to choke bad and you
wont get any output but just the ); thatís all.

This script is working. Its not that it is not
working. It works in the starting script tag but when
the html parses the script tag inside the
document.write it goes mad coz nested scripting is not
possible in HTML, the only nested tag in HTML must be
the table tag, so in this script the HTML interpreter
goes mad. but we can still insert the java script in
it.

What we did was, we inserted the closing tag of
JavaScript </script> first closing the script tag that
was opened already. After that we added the new
starting <script> tag and wrote two alert tags now...
So this is how we injected two alert tags in the java
script.
--- [Conclusion] ---
This proves injection of JavaScript inside a
JavaScript making it available to use the current
variable and change some static values predefined and
even access other function without a problem. This was
just a small demo; we use this simple script to just
stop it from printing garbage on the screen.
--- [Background Information] ---
This bug was originally discovered by hUNT3R,[myself]
a member of 01 Security Submission. I would like to
thank my friend 'Cyberdude' for further exploring it
and taking it to a new Level.
http://www.ysgnet.com/hn
---[I want a JOB/scholarship... anyone??? - hUNT3R]---


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com


Powered by blists - more mailing lists