Full Disclosure mailing list archives
[A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler?
From: bipin gautam <visitbipin () yahoo com>
Date: Fri, 10 Oct 2003 10:16:45 -0700 (PDT)
--- [Effected] --- All versions of "OPERA, MOZILLA and INTERNET EXPLORER" available up to this, relese DATE! --- [Proof of concept] --- We have made a small script. Check it out, http://www.cyberdude.com.np/javascript.htm --- [Bug Details] --- ******************************************** <html> <body> <p>THIS IS hUNT3R aka: Bipin Gautam</p> <script>alert("<script>location.href="http://www.ysgnet.com"</script>")</script> </body> </html> ******************************************** <html> <body> <p>THIS IS hUNT3R aka:Bipin Gautam, exploit revised by Cyberdude</p> <script> document.write("<b>hUNTER & Cyberdude</b></script><script>alert("it works 1"); alert("This works 2"); </script> </body> </html> ********************************************* --[Description]--- The browser is letting you compile some-thing inside the alert function. Well, its should show it anyways without compiling the script tag as it is inside the quotation. But surprising, the output is different! We found JavaScript compiler choked when we use the <script> tag inside a function like alert(); this also proves to be true for document.write(); function. This means that this script is going to choke bad and you wont get any output but just the ); thatÂ’s all. This script is working. Its not that it is not working. It works in the starting script tag but when the html parses the script tag inside the document.write it goes mad coz nested scripting is not possible in HTML, the only nested tag in HTML must be the table tag, so in this script the HTML interpreter goes mad. but we can still insert the java script in it. What we did was, we inserted the closing tag of JavaScript </script> first closing the script tag that was opened already. After that we added the new starting <script> tag and wrote two alert tags now... So this is how we injected two alert tags in the java script. --- [Conclusion] --- This proves injection of JavaScript inside a JavaScript making it available to use the current variable and change some static values predefined and even access other function without a problem. This was just a small demo; we use this simple script to just stop it from printing garbage on the screen. --- [Background Information] --- This bug was originally discovered by hUNT3R,[myself] a member of 01 Security Submission. I would like to thank my friend 'Cyberdude' for further exploring it and taking it to a new Level. http://www.ysgnet.com/hn ---[I want a JOB/scholarship... anyone??? - hUNT3R]--- __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler? bipin gautam (Oct 10)
- Re: [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler? J. Race (Oct 10)
- Re: [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler? bipin gautam (Oct 10)
- Re: [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler? jelmer (Oct 10)
- Re: [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler? bipin gautam (Oct 10)
- Re: [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler? J. Race (Oct 10)