[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Exploits in websites due to buggy input validation where mozilla is at fault as well as the website.

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Exploits in websites due to buggy input validation where mozilla is at fault as well as the website.
From: Pavel Kankovsky <peak@xxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 15 Jul 2004 21:13:12 +0200 (MET DST)

On Wed, 14 Jul 2004, Seth Alan Woolley wrote:

> If the topic of exploiting browsers to gain unauthorized access to
> websites with buggy input validation is back in vogue, here's a strange
> situation for you that _only_ works in mozilla-based browsers:
> 
> http://bugzilla.mozilla.org/show_bug.cgi?id=226495

See http://www.w3.org/TR/html401/appendix/notes.html#h-B.3.7
(and "SHORTTAG ON" in http://www.w3.org/TR/html401/sgml/sgmldecl.html)

<div><script src="indexvuln.js"</div>

should be interpreted as

<div><script src="indexvuln.js"></script></div>

W3 HTML validator interprets it this way (complaining about missing
</script>).

There are two questions:
1. Should Mozilla support this bizzare esoteric feature of HTML?
   (in fact, this is a bizzare esoteric feature of SGML)
2. Should Mozilla mangle the source when you view it?

I believe the answer is "no" in both cases.
Ad 1. That support should be completely eliminated or at least
      made configurable and disabled by default.
Ad 2. I really hate it. It's like MSIE turning \'s into /'s in URL.

> If you read the comments on the reported bug, they seemed to fail to
> understand the bug and how easy it would be to fix while maintaining
> backwards compatibility.  Then they resolved it duplicated on me when it
> wasn't the same bug as the other bug, essentially keeping it quiet.

Excuse me? As far as I can tell it is the same problem. The only
difference is the fact you demonstrated possible security consequences of 
it.

> Lots of perl and php scripts exist out there that filter for the regular
> expression '<.*>' matching only whole tags instead of '[<>]' which
> matches either end of a tag.

The mistake made by those scripts is obvious: they attempt to deny bad
things and allow everything else rather than allow known good things
(ie. well-formed documents in some harmless subset of (X)HTML) and deny
everything else.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Exploits in websites due to buggy input validation where mozilla is at fault as well as the website.
  - From: Seth Alan Woolley

References:
- [Full-Disclosure] Exploits in websites due to buggy input validation where mozilla is at fault as well as the website.
  - From: Seth Alan Woolley

Prev by Date: Re: [Full-Disclosure] RE: Unchecked buffer in mstask.dll
Next by Date: Re: [Full-Disclosure] Hacker Halfway House
Previous by thread: Re: [Full-Disclosure] Exploits in websites due to buggy input validation where mozilla is at fault as well as the website.
Next by thread: Re: [Full-Disclosure] Exploits in websites due to buggy input validation where mozilla is at fault as well as the website.
Index(es):
- Date
- Thread