Vulnerability Development mailing list archives
Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA)
From: jon schatz <jon () divisionbyzero com>
Date: 07 Feb 2002 13:20:08 -0800
On Thu, 2002-02-07 at 08:40, Mark Renouf wrote:
obscure wrote: FYI: Mozilla 0.9.8+ gives an alert: "Access to the port number given has been disabled for security reasons."
this is one of those ancient netscape-isms. there are certain ports that you've never been able to connect to. While i can't seem to find an exact list anywhere, i did find this in some iplanet docs, and i assume this is implemented the same way in the mozilla core: "To avoid protocol spoofing by rouge/misconfigured URLs, iPlanet Web Proxy Server does not allow clients to connect on certain reserved ports. If using an HTTP URL, the client may not configure the URL to use the following ports: 1, 7, 9, 11, 13, 15, 17, 19, 20, 21, 23, 25, 37, 42, 43, 53, 70, 77, 79, 87, 95, 101, 102, 103, 104, 109, 110, 111, 113, 115, 117, 119, 135, 143, 389, 512, 513, 514, 515, 526, 530, 531, 532,540, 556, 601, 6000" http://docs.iplanet.com/docs/manuals/proxy/36/adminnt/resport.htm also (just for grins), i tried something similar with apache (since port 80 is ok): [jon@opiate jon]$ nc localhost 80 GET /<script>alert(document.cookie)</script> HTTP/1.0 HTTP/1.1 404 Not Found <--snip--> <H1>Not Found</H1> <--snip--> The requested URL /<script>alert(document.cookie)</script> was not found on this server.<P> <HR> i also tested with squid (notice port 3128 isn't in the blocked list): HTTP/1.0 400 Bad Request <--snip--> While trying to retrieve the URL: <A HREF="/<script>alert(document.cookie)</script>">/<script>alert(document.cookie)</script></A> <--snip--> both of them encoded the <>'s. and finally, i tried with iis. i got back an error page that made no mention of the url i requested. there are alot of other services on the web that may or may not echo back commands though, so i bet there are more versions of this same exploit. -jon -- jon () divisionbyzero com || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing."
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA) obscure (Feb 06)
- Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA) Mark Renouf (Feb 07)
- Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA) Patrick Kuiper (Feb 07)
- Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA) Peter Bieringer (Feb 07)
- Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA) Random Chaos (Feb 14)
- Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA) Olivier Faurax (Feb 07)
- Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA) Chip McClure (Feb 07)
- Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA) jon schatz (Feb 07)
- Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA) Patrick Kuiper (Feb 07)
- <Possible follow-ups>
- Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA) obscure (Feb 11)
- Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA) Mark Renouf (Feb 07)