| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: raz at chewies.net (Wayne Schroeder)
Subject: [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler?
Dude, you need to read the reply(s) to your original post. If that
doesn't clear it all up for you and you're really serious about
your sploit, you should check out mine:
<html>
<body>
<span style='display: none;' id='leetShellCode'>
Please
go
away!
</span>
<script language='JavaScript1.2' type='text/javascript'>
alert(document.getElementById('leetShellCode').innerHTML);
</script>
</body>
</html>
On Fri, Oct 10, 2003 at 10:38:59AM -0700, bipin gautam wrote:
> --- [Effected] ---
> All versions of "OPERA, MOZILLA and INTERNET EXPLORER"
> available up to this, relese DATE!
> --- [Proof of concept] ---
> We have made a small script. Check it out,
> http://www.cyberdude.com.np/javascript.htm
> --- [Bug Details] ---
> ********************************************
> <html>
> <body>
> <p>THIS IS hUNT3R aka: Bipin Gautam</p>
> <script>alert("<script>location.href="http://www.ysgnet.com"</script>")</script>
> </body>
> </html>
> ********************************************
>
>
> <html>
> <body>
> <p>THIS IS hUNT3R aka:Bipin Gautam, exploit revised by
> Cyberdude</p>
> <script>
> document.write("<b>hUNTER &
> Cyberdude</b></script><script>alert("it works 1");
> alert("This works 2");
> </script>
> </body>
> </html>
>
> *********************************************
> --[Description]---
> The browser is letting you compile some-thing inside
> the alert function. Well, its should show it anyways
> without compiling the script tag as it is inside the
> quotation. But surprising, the output is different! We
> found JavaScript compiler choked when we use the
> <script> tag inside a function like alert(); this also
> proves to be true for document.write(); function. This
> means that this script is going to choke bad and you
> wont get any output but just the ); that?s all.
>
> This script is working. Its not that it is not
> working. It works in the starting script tag but when
> the html parses the script tag inside the
> document.write it goes mad coz nested scripting is not
> possible in HTML, the only nested tag in HTML must be
> the table tag, so in this script the HTML interpreter
> goes mad. but we can still insert the java script in
> it.
>
> What we did was, we inserted the closing tag of
> JavaScript </script> first closing the script tag that
> was opened already. After that we added the new
> starting <script> tag and wrote two alert tags now...
> So this is how we injected two alert tags in the java
> script.
> --- [Conclusion] ---
> This proves injection of JavaScript inside a
> JavaScript making it available to use the current
> variable and change some static values predefined and
> even access other function without a problem. This was
> just a small demo; we use this simple script to just
> stop it from printing garbage on the screen.
> --- [Background Information] ---
> This bug was originally discovered by hUNT3R,[myself]
> a member of 01 Security Submission. I would like to
> thank my friend 'Cyberdude' for further exploring it
> and taking it to a new Level.
> http://www.ysgnet.com/hn
> ---[I want a JOB/scholarship... anyone??? - hUNT3R]---
>
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists