Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CSS bug in Winamp

From: Chris <prgmrchris2k1 () yahoo com>
Date: Fri, 9 Aug 2002 09:39:24 -0700 (PDT)

--- DownBload <downbload () hotmail com> wrote:



        [ Illegal Instruction Security Research Labs
Advisory ]


[--------------------------------------------------------------------]

Advisory name: CSS bug in Winamp
Advisory number: 8
Application: Winamp 
Vendor: Nullsoft
WEB: www.winamp.com
Tested on: Winamp 2.76 and 2.79 (Windows 98)
Impact: CSS execution during generation of html
playlist
Discovered by: DownBload
Mail me @: downbload () hotmail com




------[ Overview
Winamp is (as we all know) the most popular mp3
player. 




------[ Problem
ID3v2 tag in mp3 file contains some information
about mp3 file (artist, 
title, album, commet, etc.). Winamp supports
creation of html playlist 
from winamp playlist.
During generation process in html file is written
only 'artist' 
and 'title' section of ID3v2 tag.
In 'artist' and 'title' section, we can put
arbitrary CSS code, which will 
be executed when html playlist will be generated,
and shown with default 
web browser.




------[ Example
Open 'view file info' on some mp3 file (read only
flag on that file must 
be removed), and edit ID3v2 tag. Put some text in
'artist' section (if you 
wanna fool somebody, it is  the best to write the
name of the artist and 
song name in 'artist' section. After that put some
blank space characters 
(around 100) and . after that), and CSS code which
will be executed 
in 'title' section. For testing purpose, in 'title'
section, you can put:
-----cut here-----
&lt;script&gt; alert ("HI!!!"); &lt;/script&gt;
-----cut here-----
You can put some blank space (in 'title' section)
before CSS code too. 
After that generate html file from playlist, and you
will see msgbox, with 
text HI!!! 



------[ GREETZ
Goes to Illegal Instruction Labs (Boyscout, h4z4rd,
Sunnis, Styx), 
www.active-security.org, finis, Fr1c, harlequin,
st0rm, phreax,  all of 
#hr.hackers <irc.carnet.hr>.
Thanks to dr_cr@zy for providing me with hardware
support, when my computer
is on vacation :).
Very special greetz go to |<4r0l1n4.
I'm very sorry if I forgot someone...


This appears to be corrected in Winamp 2.80, as i was
unable to get the exploit functional.

- Chris (chris () box sk)
http://linux.box.sk/
http://blacksun.box.sk/

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com
Previous By Date Next
Previous By Thread Next

Current thread: