Bugtraq mailing list archives
Malicious-HTML vulnerabilities at deja.com
From: niall () POBOX COM (Niall Smart)
Date: Wed, 15 Mar 2000 17:11:00 +0000
Malicious-HTML vulnerabilities at deja.com Niall Smart, niall () pobox com 03/03/2000 Synopsis ======== deja.com does not always escape meta-characters when displaying Usenet articles. Specifically, the article view page (http://www.deja.com/getdoc.xp) and the thread view page (http://www.deja.com/viewthread.xp) display the subject of the article "as is" between title tags. This allows an attacker to include arbitrary tags in the HTML sent to people reading the attackers article at deja.com. There are probably a large number of sites out there with this type of vulnerability, the deja.com example is interesting because it's a busy site with a large amount of relatively users who naively trust it. Exploit ======= An attacker can embed any tag in the head or body of the HTML page. This allows numerous attacks including: Cross Site Scripting: An attacker can post an article with a link to a script on another server and call that script from the onLoad event handler. Site Spoofing: An attacker can use a meta tag to automatically redirect the user to a spoofed version of deja.com. See the CERT advisory referenced below for more information on this type of attack. Examples ======== NOTE: The following examples are intended to be harmless, however I take no responsibility for any damage caused by following these links. JavaScript popup: http://www.deja.com/getdoc.xp?AN=591804116 Redirection using meta tag: http://www.deja.com/getdoc.xp?AN=591833344 Notes ===== I haven't thoroughly tested deja.com's pages, there may be other instances of this error. It would be particularly interesting to find one that didn't require the attacker to include the HTML in the subject field of the article. This example illustrates how *not* to approach meta-character escaping. If you call a function to escape meta-characters each time the data is inserted into the web page, as deja.com appear to do, you run the risk of occasionally forgetting to do it. deja.com escape correctly in two other places on the article view page but forget once. Instead you should escape them earlier in the data flow, perhaps just after getting the data from the database, thereby precluding the human-error factor. References ========== CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests http://www.cert.org/advisories/CA-2000-02.html HTML 3.2 Character Entities http://www.w3.org/TR/REC-html32.html#latin1
Current thread:
- FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation DeAvillez, Carlos (Mar 14)
- Malicious-HTML vulnerabilities at deja.com Niall Smart (Mar 15)
- Re: Malicious-HTML vulnerabilities at deja.com Geert Altena (Mar 17)
- Re: FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation Andy Caus (Mar 16)
- Re: FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation Daniel Harter (Mar 17)
- OfficeScan TrendMicro: admin for everybody ! Gregory Duchemin (Mar 16)
- Analysis of the Shaft distributed denial of service tool Sven Dietrich (Mar 16)
- Re: Analysis of the Shaft distributed denial of service tool Max Vision (Mar 17)
- Malicious-HTML vulnerabilities at deja.com Niall Smart (Mar 15)