Bugtraq mailing list archives

[bWM#012] Passing script/html-filter with special chars (multibrowser)


From: <ben.moeckel () badwebmasters net>
Date: Wed, 30 Jul 2003 04:48:01 +0200


ben moeckel security research - http://badWebMasters.net - security
advisories
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - 


badWebMasters security advisory #012:

        Passing script/html-filter with special chars (multibrowser)


Discovery date: 2003-07-16

Author: 

        ben moeckel (http://distressed.de)
        mailto: badwebmasters () online de


Description:

        When webbrowsers parse html they remove special chars,
        this behavior may be used by an malicious user to fool 
        script/html-filters in webapplications.


Detail:

        badWebMasters showed in their advisory #011 how to pass
        the "Snitz Forums"-scriptfilter with the Tab-Char (09).
        After "Opera" and "Mozilla"-users noticed that the
        provided exploit didn't work on their system I decided
        to start some new testings, with an amazing result!

        To detect what kind of special chars can be used in html-
        parameters I set up the following asp-page:

        -------------------------------------------2.asp---------
        <%@LANGUAGE=JScript%><%

        %><script>function a(o){alert(o)}</script><%
        %><img src="javascript:a('test')" /><%

        for(i=0;i<256;++i){
                uc = "%"+chk(i.toString(16));
                %><img src="ja<%=unescape(uc)%>vascript:a(<%=i%>)" />
        <% }

        function chk(sInp){if(sInp.length<2){
                return String("0"+sInp)
        }else{return sInp}}
        %>
        ---------------------------------------------------------

        The page has been viewed with Mozilla, Opera and Internet-
        Explorer, the alert-box poped up in this order:

                Mozilla 1.3.1 (Win32):  0 (with restricions)

                Opera 7.11 (Win32):     0, 9, 10, 13, 173

                Internet Explorer 5.0:  13, 10, 9, 0

        Mozilla doesn't allow the window.alert()-method in "javascript:"-
        images, so I had to use my own function "a()". It also returned 
        an error for char 9, 10 and 13: "Error: unterminated regular 
        expression literal".

        Webmasters may be carefull with char 173 (ADh) that can be used
        in Opera only.

        And last but not least silly Internet Explorer: reversed order!?


Test:

        http://badwebmasters.net/advisory/012/test.asp


Workaround:

        This advisory adresses all webapps that use a badword filter,
        make sure all control-chars are removed before badwords are 
        removed!


References: 

        badWebMasters advisory #011: Cross-Site-Scripting @ Snitz Forums
        - http://cert.uni-stuttgart.de/archive/bugtraq/2003/04/msg00247.html


Feedback: 

        Comments, suggestions, updates, anything else?
                -> mailto:badwebmasters () online de


Source:

        http://badwebmasters.net/advisory/012/ (text/html)


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - 
Copyright 2003 by ben moeckel (Benjamin Klimmek) for badWebMasters.
http://badwebmasters.net


Current thread: