Bugtraq: Re: XSS on Yahoo Mail

[Steven Champeon <schampeo () hesketh com>]

on Thu, Nov 24, 2005 at 03:50:04AM +0100, Will Wesley wrote:
> --- Richard Fuchshuber <richardfuch () yahoo com br>
> schrieb:
> > <?
> > <TABLE border="1" cellspacing="1" cellpadding="0">
> > <TR>Your profile is out of date, please update <a
> > href="www.blabla.com">clicking here.</a></TR>
> > </TABLE>
<snip>

> The real problem is that you are injecting a TR
> element into the middle of a TD, then closing the
> table without first closing the TD. Any web developer
> who would do such a thing is a moron, and your browser
> does the best it can to make sense of it. You might
> try asking Yahoo how to turn HTML off, or simply use
> POP with a text only reader to work around this.
I think you missed the point. He's actually just inserting ill-formed
markup into the document flow and the browsers do react in the ways he
described to such markup. As such, the problem exists. Calling out moron
Web designers doesn't help much here. In HTML 3.2 and 4.0, for example,
an open TD tag is required, so when non-markup text follows a start TR
tag, the browser doesn't know how to deal with that text and places it
out of the table's document flow, which has the result of throwing it
further up the page, outside /and preceding/ the table in which it was
found. This is a well-known problem to Web designers (who used to use it
to troubleshoot complex table-based page layouts), but it doesn't
mitigate its importance to those concerned with preventing XSS.

Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/