If the topic of exploiting browsers to gain unauthorized access to websites with buggy input validation is back in vogue, here's a strange situation for you that _only_ works in mozilla-based browsers: http://bugzilla.mozilla.org/show_bug.cgi?id=226495 When I reported the issue to mozilla, they shut me up promptly. Essentially, mozilla creates '></script>' text if you have: <script src="" to make it: <script scr=""></script> (a view source in mozilla will confirm this) Lots of perl and php scripts exist out there that filter for the regular expression '<.*>' matching only whole tags instead of '[<>]' which matches either end of a tag. Is it just me or is that behavior idiotic? I've seen this bug in _multiple_ scripts I've audited. For that reason, I feel much less safe signing up for cookies on websites that I haven't audited myself for this problem. Since it is a script tag, that could open many a hole later down the line that I haven't mentioned as well. It's just another reason to disable javascript and never use cookies for authentication. Should mozilla fix this problem? Proof of Concept: http://smgl.positivism.org/music/indexvuln.html If you read the comments on the reported bug, they seemed to fail to understand the bug and how easy it would be to fix while maintaining backwards compatibility. Then they resolved it duplicated on me when it wasn't the same bug as the other bug, essentially keeping it quiet. Seth -- Seth Alan Woolley [seth at positivism.org], SPAM/UCE is unauthorized Key id EF10E21A = 36AD 8A92 8499 8439 E6A8 3724 D437 AF5D EF10 E21A http://smgl.positivism.org:11371/pks/lookup?op=get&search=0xEF10E21A Security Team Leader Source Mage GNU/Linux http://www.sourcemage.org
Attachment:
pgp00032.pgp
Description: PGP signature