Full Disclosure mailing list archives
Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website.
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Thu, 15 Jul 2004 21:13:12 +0200 (MET DST)
On Wed, 14 Jul 2004, Seth Alan Woolley wrote:
If the topic of exploiting browsers to gain unauthorized access to websites with buggy input validation is back in vogue, here's a strange situation for you that _only_ works in mozilla-based browsers: http://bugzilla.mozilla.org/show_bug.cgi?id=226495
See http://www.w3.org/TR/html401/appendix/notes.html#h-B.3.7 (and "SHORTTAG ON" in http://www.w3.org/TR/html401/sgml/sgmldecl.html) <div><script src="indexvuln.js"</div> should be interpreted as <div><script src="indexvuln.js"></script></div> W3 HTML validator interprets it this way (complaining about missing </script>). There are two questions: 1. Should Mozilla support this bizzare esoteric feature of HTML? (in fact, this is a bizzare esoteric feature of SGML) 2. Should Mozilla mangle the source when you view it? I believe the answer is "no" in both cases. Ad 1. That support should be completely eliminated or at least made configurable and disabled by default. Ad 2. I really hate it. It's like MSIE turning \'s into /'s in URL.
If you read the comments on the reported bug, they seemed to fail to understand the bug and how easy it would be to fix while maintaining backwards compatibility. Then they resolved it duplicated on me when it wasn't the same bug as the other bug, essentially keeping it quiet.
Excuse me? As far as I can tell it is the same problem. The only difference is the fact you demonstrated possible security consequences of it.
Lots of perl and php scripts exist out there that filter for the regular expression '<.*>' matching only whole tags instead of '[<>]' which matches either end of a tag.
The mistake made by those scripts is obvious: they attempt to deny bad things and allow everything else rather than allow known good things (ie. well-formed documents in some harmless subset of (X)HTML) and deny everything else. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Seth Alan Woolley (Jul 14)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Barry Fitzgerald (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Nick FitzGerald (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Barry Fitzgerald (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Seth Alan Woolley (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Nick FitzGerald (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Seth Alan Woolley (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Nick FitzGerald (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Barry Fitzgerald (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Seth Alan Woolley (Jul 15)