Bugtraq mailing list archives

Malicious-HTML vulnerabilities at deja.com

From: niall () POBOX COM (Niall Smart)
Date: Wed, 15 Mar 2000 17:11:00 +0000


            Malicious-HTML vulnerabilities at deja.com

                 Niall Smart, niall () pobox com

                           03/03/2000

Synopsis
========

deja.com does not always escape meta-characters when displaying
Usenet articles.  Specifically, the article view page
(http://www.deja.com/getdoc.xp) and the thread view page
(http://www.deja.com/viewthread.xp) display the subject of the
article "as is" between title tags.

This allows an attacker to include arbitrary tags in the HTML sent
to people reading the attackers article at deja.com.

There are probably a large number of sites out there with this type
of vulnerability, the deja.com example is interesting because it's
a busy site with a large amount of relatively users who naively
trust it.

Exploit
=======

An attacker can embed any tag in the head or body of the HTML page.
This allows numerous attacks including:

Cross Site Scripting:

An attacker can post an article with a link to a script on another
server and call that script from the onLoad event handler.

Site Spoofing:

An attacker can use a meta tag to automatically redirect the
user to a spoofed version of deja.com.

See the CERT advisory referenced below for more information on this
type of attack.

Examples
========

NOTE: The following examples are intended to be harmless, however
      I take no responsibility for any damage caused by following
      these links.

JavaScript popup:

  http://www.deja.com/getdoc.xp?AN=591804116

Redirection using meta tag:

  http://www.deja.com/getdoc.xp?AN=591833344

Notes
=====

I haven't thoroughly tested deja.com's pages, there may be other
instances of this error.  It would be particularly interesting to
find one that didn't require the attacker to include the HTML in
the subject field of the article.

This example illustrates how *not* to approach meta-character
escaping.  If you call a function to escape meta-characters each
time the data is inserted into the web page, as deja.com appear to
do, you run the risk of occasionally forgetting to do it.  deja.com
escape correctly in two other places on the article view page but
forget once.  Instead you should escape them earlier in the data
flow, perhaps just after getting the data from the database, thereby
precluding the human-error factor.

References
==========

CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
  http://www.cert.org/advisories/CA-2000-02.html

HTML 3.2 Character Entities
  http://www.w3.org/TR/REC-html32.html#latin1

Current thread:

FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation DeAvillez, Carlos (Mar 14)
- Malicious-HTML vulnerabilities at deja.com Niall Smart (Mar 15)
  - Re: Malicious-HTML vulnerabilities at deja.com Geert Altena (Mar 17)
- Re: FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation Andy Caus (Mar 16)
  - Re: FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation Daniel Harter (Mar 17)
- OfficeScan TrendMicro: admin for everybody ! Gregory Duchemin (Mar 16)
- Analysis of the Shaft distributed denial of service tool Sven Dietrich (Mar 16)
  - Re: Analysis of the Shaft distributed denial of service tool Max Vision (Mar 17)