Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Malicious-HTML vulnerabilities at deja.com
From: geert () UTTNARAG TN UTWENTE NL (Geert Altena)
Date: Fri, 17 Mar 2000 12:31:46 +0100


You, Niall Smart, <niall () POBOX COM>, wrote:

deja.com does not always escape meta-characters when displaying
                ^^^^^^^^^^
Usenet articles.  Specifically, the article view page
(http://www.deja.com/getdoc.xp) and the thread view page
(http://www.deja.com/viewthread.xp) display the subject of the
article "as is" between title tags.

Examples
========

JavaScript popup:

  http://www.deja.com/getdoc.xp?AN=591804116

Comes out as (copy/paste from netscape):
------------
Forum: alt.test
Thread: </title><script
src="http://www.in-design.com/~nsmart/foo.js";></script><body
onLoad="return bar()">
Message 1 of 1

Subject: </title><script src="http://www.in-design.com/~nsmart/foo.js";>
         </script><body onLoad="return bar()">
Date: 03/01/2000
Author: regkey <regkey () yahoo com>
--------------

I have javascript enabled, no popup.

Redirection using meta tag:

  http://www.deja.com/getdoc.xp?AN=591833344

Comes out as:
-----------------
Forum: alt.test
Thread: </title><meta http-equiv="refresh"
           content="0;url=http://www.in-design.com/~nsmart/deja.html";>
Message 1 of 1

Subject: </title><meta http-equiv="refresh"
         content="0;url=http://www.in-design.com/~nsmart/deja.html";>
Date: 03/01/2000
Author: regkey <regkey () yahoo com>
--------------------

No redirection here to www.in-design.com.

Looking at the source, in both cases (javascript and meta rerefresh) the
"<" and ">" are properly replaced by "&lt;" and "&gt;" eliminating the
vulnerabilities you mentioned. Same thing applies then I get the article
via powersearch.

So either someone at Deja reads Bugtraq and did a fix before this reply or
this is a case where things _are_ properly escaped.

Cheers,
\Geert.

--
Geert Altena | Geert () uttnarag tn utwente nl | Coffee, black, no sugar
         Finger for PGPkey : Diffie-Hellman 2048/0xC540C550
  Prediction is difficult, especially of the future. - (Niels Bohr)



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]