lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040715195844.5B4C.0@argo.troja.mff.cuni.cz>
From: peak at argo.troja.mff.cuni.cz (Pavel Kankovsky)
Subject: Exploits in websites due to buggy input
 validation where mozilla is at fault as well as the website.

On Wed, 14 Jul 2004, Seth Alan Woolley wrote:

> If the topic of exploiting browsers to gain unauthorized access to
> websites with buggy input validation is back in vogue, here's a strange
> situation for you that _only_ works in mozilla-based browsers:
> 
> http://bugzilla.mozilla.org/show_bug.cgi?id=226495

See http://www.w3.org/TR/html401/appendix/notes.html#h-B.3.7
(and "SHORTTAG ON" in http://www.w3.org/TR/html401/sgml/sgmldecl.html)

<div><script src="indexvuln.js"</div>

should be interpreted as

<div><script src="indexvuln.js"></script></div>

W3 HTML validator interprets it this way (complaining about missing
</script>).

There are two questions:
1. Should Mozilla support this bizzare esoteric feature of HTML?
   (in fact, this is a bizzare esoteric feature of SGML)
2. Should Mozilla mangle the source when you view it?

I believe the answer is "no" in both cases.
Ad 1. That support should be completely eliminated or at least
      made configurable and disabled by default.
Ad 2. I really hate it. It's like MSIE turning \'s into /'s in URL.

> If you read the comments on the reported bug, they seemed to fail to
> understand the bug and how easy it would be to fix while maintaining
> backwards compatibility.  Then they resolved it duplicated on me when it
> wasn't the same bug as the other bug, essentially keeping it quiet.

Excuse me? As far as I can tell it is the same problem. The only
difference is the fact you demonstrated possible security consequences of 
it.

> Lots of perl and php scripts exist out there that filter for the regular
> expression '<.*>' matching only whole tags instead of '[<>]' which
> matches either end of a tag.

The mistake made by those scripts is obvious: they attempt to deny bad
things and allow everything else rather than allow known good things
(ie. well-formed documents in some harmless subset of (X)HTML) and deny
everything else.


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ