Re: GOBBLES SECURITY ADVISORY #33

[Blue Boar <BlueBoar () thievco com>]

> What follows is GOBBLES advisory #33.  
<snip>
> * JavaScript entities
> - ---------------------
>
> Only hotmail security historians like those at GOBBLES Security know of
> obscure feature in JavaScript language that make it easy to bypass thing
> like "<...>", "<script>...</script>", and "javascript:" filter for CSS
> attack using JavaScript. That is thing called JavaScript entity. Like...
>
> &{alert('GOBBLES')};

I was initially a bit confused, since none of your examples worked when I 
tried them.  However, after a quick Google search, I found this page:
http://www.javascriptkit.com/javatutors/entity3.shtml

Which says that Javascript entities are not supported in IE.  They've been 
supported in Netscape since 3.0, but experimentation shows that they don't 
work in Mozilla 0.99.  I don't have Opera to test.  They do work in Netsape 
4.78 on Win98SE. I think it's likely that this feature only works in 
Netscape 3.x through 4.7x, which I believe have been abandoned for further 
updates, so they shouldn't be used if you're trying to be secure.

Hang on...
Dave Ahmad reports that he can't get them to work on MSIE 6.0.26 / Windows 
ME and Opera 6.0 Technology Preview 3 Build 98, on Linux 2.2.16-22.  He can 
get it to work on Netscape 4.75 on Linux.

What browsers did you test?

<snip>

> 3. thievco.com / Matt Wright's guestbook script
> - -----------------------------------------------
> Matt Wright's guestbook script can be found at:
>
> http://worldwidemart.com/scripts/guestbook.shtml
>
> To he credit, he has $allow_html variable that can strip "<...>" stuff, but
> once again, GOBBLES trademarked JavaScript Entity CSS Technique come to the
> rescue. Incidentally, The Blue Boar allows html in his guestbook fields, but
> as we just said, the presence of this does not determine whether or not we
> can use our CSS technique. We always can.
>
> if ($FORM{'url'}) {
>          print GUEST "<a href=\"$FORM{'url'}\">$FORM{'realname'}</a>";
>       }
>
> You see, even if html form do not have 'url' parameter, remote attacker can
> still create their own local html form pointing at The Blue Boar's website
> or some other site with Matt Wright's guestbook script. This permits them to
> inject malicious data via 'url' parameter that will allow CSS attacks on
> anyone viewing the guestbook.

As the uhh.. vendor for this site, my official response is that your CSS 
example at thievco.com is completely irrelevent.  As you mention yourself, 
I allow arbitrary HTML in the guestbook, so there is no point in using a 
CSS attack.  What mischief can be accomplished with my guestbook is a 
superset of CSS.

Suggest you take a look at the history of other problems with Guestbook. 
It hasn't been maintained in years, and previous attempts to contact the 
author have gone unanswered (did you try?)  You might consider releasing a 
patch for it with your information.  Since it has known holes and is 
unmaintained, I recommend that it not be used on sites that one is 
concerned about being broken into.  Since my site is hosted, anyone with 
$20 can have a shell on that machine, so breakins are not a large concern 
for me.

Thanks for thinking of me, though.  Sorry that I don't have time like Dave 
to edit your posts to vuln-dev to make them suitable for publishing.
        
                                                BB