| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: seth at tautology.org (Seth Alan Woolley) Subject: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Sorry for the gory SGML details to follow... On Thu, Jul 15, 2004 at 09:13:12PM +0200, Pavel Kankovsky wrote: > On Wed, 14 Jul 2004, Seth Alan Woolley wrote: > > > If the topic of exploiting browsers to gain unauthorized access to > > websites with buggy input validation is back in vogue, here's a strange > > situation for you that _only_ works in mozilla-based browsers: > > > > http://bugzilla.mozilla.org/show_bug.cgi?id=226495 > > See http://www.w3.org/TR/html401/appendix/notes.html#h-B.3.7 > (and "SHORTTAG ON" in http://www.w3.org/TR/html401/sgml/sgmldecl.html) > > <div><script src="indexvuln.js"</div> > > should be interpreted as > > <div><script src="indexvuln.js"></script></div> > > W3 HTML validator interprets it this way (complaining about missing > </script>). SHORTTAG options are listed in 7.3.1.2 of ISO 8879, and the </div> is option b of that section, so the implied </script> is correct. But there's more to SHORTTAG than start tag completion (section 7.4.1.2). Mozilla doesn't even respect the <tag/CDATA/ minimization feature of SMGL's SHORTTAG. Do you blame them? See http://www.cs.tut.fi/~jkorpela/qattr.html#shorttag for why they probably didn't (the example doesn't work). '<' isn't allowed inside a tag without an entity reference (<), so it can't close the tag (not the entity) with the '>' in '</div>' like thus: '<script src="indexvuln.js"</div>'. '<div><script> src="indexvuln.js"</script></div>' would be a lot more sane. That matches the BNF listed in the book, but it doesn't satisfy SMGL's command to be a greedy matcher. It's really just a simple request for security. At least a user pref for this? Can they hide behind SHORTTAG when all the rest of SHORTTAG hasn't been implemented because it would break most unquoted href attributes with more than one slash? I'll reference this: http://lists.w3.org/Archives/Public/www-html/2002Nov/0055.html (from one of the people working on the W3 validator) It suggests that the HTML WG should clarify the 4.01 spec using an errata to say that now that Annex K to ISO8879 exists and is better known, the HTML DTD should use more specific options for SHORTTAG allowing what's commonly used (attribute minimization such as quotes left off or default values) and not allowing all the rest (which are not only only implemented in just one browser only partially, but they are also opening up possible security holes easier due to an author not knowing about really obscure and rarely implemented start tag minimization as I have pointed out). > > There are two questions: > 1. Should Mozilla support this bizzare esoteric feature of HTML? > (in fact, this is a bizzare esoteric feature of SGML) > 2. Should Mozilla mangle the source when you view it? > > I believe the answer is "no" in both cases. > Ad 1. That support should be completely eliminated or at least > made configurable and disabled by default. > Ad 2. I really hate it. It's like MSIE turning \'s into /'s in URL. Complete agreement. They've already resolved to fix #2 and I wasn't having a problem with that (in fact, it's kind of a cool feature because I got to see what it really thought of it, although it confused me at first). I also agree that they should disable this expansive interpretation of the standard unless people really want it. As far as I know, nobody really wants it except the mozilla developers because they don't want to have to change their crude heuristics. Well, the W3C HTML WG wants it because they don't want to have to do any work, but XML is not really catching on as fast as everybody thought. > > > If you read the comments on the reported bug, they seemed to fail to > > understand the bug and how easy it would be to fix while maintaining > > backwards compatibility. Then they resolved it duplicated on me when it > > wasn't the same bug as the other bug, essentially keeping it quiet. > > Excuse me? As far as I can tell it is the same problem. The only > difference is the fact you demonstrated possible security consequences of > it. Probably so. I still think that's a substantially different point. Perhaps it's a pure duplicate, but it warrants reopening the bug. Since I didn't file it originally, I can't reopen it (I think). Maybe I should post a comment to this thread on f-d? > > > Lots of perl and php scripts exist out there that filter for the regular > > expression '<.*>' matching only whole tags instead of '[<>]' which > > matches either end of a tag. > > The mistake made by those scripts is obvious: they attempt to deny bad > things and allow everything else rather than allow known good things > (ie. well-formed documents in some harmless subset of (X)HTML) and deny > everything else. Agreed as well, which is why I went to the script authors first. I then went to the mozilla people and informed them of the problem that was in my opinion quite dangerous. Then I sat on it because of my busy life until the subject came up on this list. Perhaps I'll file bugs on all the unimplemented features of SHORTTAG YES and reference my bug and say: precedent says you are supporting bugs in the specification just because of the unchangability of the HTML WG. Seth -- Seth Alan Woolley [seth at positivism.org], SPAM/UCE is unauthorized Key id EF10E21A = 36AD 8A92 8499 8439 E6A8 3724 D437 AF5D EF10 E21A http://smgl.positivism.org:11371/pks/lookup?op=get&search=0xEF10E21A Security Team Leader Source Mage GNU/Linux http://www.sourcemage.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040715/f3dd2344/attachment.bin
Powered by blists - more mailing lists