Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Exploits in websites due to buggy input validation where mozilla is at fault as well as the website.
From: Seth Alan Woolley <seth () tautology org>
Date: Wed, 14 Jul 2004 10:32:04 -0700

If the topic of exploiting browsers to gain unauthorized access to
websites with buggy input validation is back in vogue, here's a strange
situation for you that _only_ works in mozilla-based browsers:

http://bugzilla.mozilla.org/show_bug.cgi?id=226495

When I reported the issue to mozilla, they shut me up promptly.

Essentially, mozilla creates '></script>' text if you have:

<script src=""

to make it:

<script scr=""></script>   (a view source in mozilla will confirm this)

Lots of perl and php scripts exist out there that filter for the regular
expression '<.*>' matching only whole tags instead of '[<>]' which
matches either end of a tag.

Is it just me or is that behavior idiotic?  I've seen this bug in
_multiple_ scripts I've audited.  For that reason, I feel much less safe
signing up for cookies on websites that I haven't audited myself for
this problem.  Since it is a script tag, that could open many a hole
later down the line that I haven't mentioned as well.  It's just another
reason to disable javascript and never use cookies for authentication.

Should mozilla fix this problem?

Proof of Concept:

http://smgl.positivism.org/music/indexvuln.html

If you read the comments on the reported bug, they seemed to fail to
understand the bug and how easy it would be to fix while maintaining
backwards compatibility.  Then they resolved it duplicated on me when it
wasn't the same bug as the other bug, essentially keeping it quiet.

Seth

-- 
Seth Alan Woolley [seth at positivism.org], SPAM/UCE is unauthorized
Key id EF10E21A = 36AD 8A92 8499 8439 E6A8  3724 D437 AF5D EF10 E21A
http://smgl.positivism.org:11371/pks/lookup?op=get&search=0xEF10E21A
Security Team Leader Source Mage GNU/Linux http://www.sourcemage.org

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]