mailing list archives
Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website.
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Thu, 15 Jul 2004 21:13:12 +0200 (MET DST)
On Wed, 14 Jul 2004, Seth Alan Woolley wrote:
If the topic of exploiting browsers to gain unauthorized access to
websites with buggy input validation is back in vogue, here's a strange
situation for you that _only_ works in mozilla-based browsers:
(and "SHORTTAG ON" in http://www.w3.org/TR/html401/sgml/sgmldecl.html)
should be interpreted as
W3 HTML validator interprets it this way (complaining about missing
There are two questions:
1. Should Mozilla support this bizzare esoteric feature of HTML?
(in fact, this is a bizzare esoteric feature of SGML)
2. Should Mozilla mangle the source when you view it?
I believe the answer is "no" in both cases.
Ad 1. That support should be completely eliminated or at least
made configurable and disabled by default.
Ad 2. I really hate it. It's like MSIE turning \'s into /'s in URL.
If you read the comments on the reported bug, they seemed to fail to
understand the bug and how easy it would be to fix while maintaining
backwards compatibility. Then they resolved it duplicated on me when it
wasn't the same bug as the other bug, essentially keeping it quiet.
Excuse me? As far as I can tell it is the same problem. The only
difference is the fact you demonstrated possible security consequences of
Lots of perl and php scripts exist out there that filter for the regular
expression '<.*>' matching only whole tags instead of '[<>]' which
matches either end of a tag.
The mistake made by those scripts is obvious: they attempt to deny bad
things and allow everything else rather than allow known good things
(ie. well-formed documents in some harmless subset of (X)HTML) and deny
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
Full-Disclosure - We believe in it.
Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Pavel Kankovsky (Jul 15)