Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website.
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Thu, 15 Jul 2004 21:13:12 +0200 (MET DST)

On Wed, 14 Jul 2004, Seth Alan Woolley wrote:

If the topic of exploiting browsers to gain unauthorized access to
websites with buggy input validation is back in vogue, here's a strange
situation for you that _only_ works in mozilla-based browsers:

http://bugzilla.mozilla.org/show_bug.cgi?id=226495

See http://www.w3.org/TR/html401/appendix/notes.html#h-B.3.7
(and "SHORTTAG ON" in http://www.w3.org/TR/html401/sgml/sgmldecl.html)

<div><script src="indexvuln.js"</div>

should be interpreted as

<div><script src="indexvuln.js"></script></div>

W3 HTML validator interprets it this way (complaining about missing
</script>).

There are two questions:
1. Should Mozilla support this bizzare esoteric feature of HTML?
   (in fact, this is a bizzare esoteric feature of SGML)
2. Should Mozilla mangle the source when you view it?

I believe the answer is "no" in both cases.
Ad 1. That support should be completely eliminated or at least
      made configurable and disabled by default.
Ad 2. I really hate it. It's like MSIE turning \'s into /'s in URL.

If you read the comments on the reported bug, they seemed to fail to
understand the bug and how easy it would be to fix while maintaining
backwards compatibility.  Then they resolved it duplicated on me when it
wasn't the same bug as the other bug, essentially keeping it quiet.

Excuse me? As far as I can tell it is the same problem. The only
difference is the fact you demonstrated possible security consequences of 
it.

Lots of perl and php scripts exist out there that filter for the regular
expression '<.*>' matching only whole tags instead of '[<>]' which
matches either end of a tag.

The mistake made by those scripts is obvious: they attempt to deny bad
things and allow everything else rather than allow known good things
(ie. well-formed documents in some harmless subset of (X)HTML) and deny
everything else.


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]