Re: [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler?

[jelmer <jkuperus () planet nl>]

This is the code you send

<html>
<body>
<p>THIS IS hUNT3R aka:Bipin Gautam, exploit revised by
Cyberdude</p>
<script>
document.write("<b>hUNTER &
Cyberdude</b></script><script>alert("it works 1");
alert("This works 2");
</script>
</body>
</html>


this gives an Unterminated string constant error followed by 2 alerts, which
is exactly what it should do

1. <script>document.write("<b>hUNTER & Cyberdude</b></script>

this gives the unterminated string constant, your simply not closing your
string, <b>hUNTER & Cyberdude never gets written out

2. <script>alert("it works 1"); alert("This works 2"); </script>

This is perfectly valid and thus executes


I really dont see what your trying to do or what the threat would be when
you got whatever your trying to do to work

--jelmer





----- Original Message ----- 
From: "bipin gautam" <visitbipin () yahoo com>
To: <Full-Disclosure () lists netsys com>
Cc: <bugtraq () securityfocus com>
Sent: Friday, October 10, 2003 7:16 PM
Subject: [Full-disclosure] [A bug! update...] Whom to blame, the HTML
interpreter or the JavaScript compiler?


> --- [Effected] ---
> All versions of "OPERA, MOZILLA and INTERNET EXPLORER"
> available up to this, relese DATE!
> --- [Proof of concept] ---
> We have made a small script. Check it out,
> http://www.cyberdude.com.np/javascript.htm
> --- [Bug Details] ---
> ********************************************
> <html>
> <body>
> <p>THIS IS hUNT3R aka: Bipin Gautam</p>
<script>alert("<script>location.href="http://www.ysgnet.com";</script>")</scr
ipt>
> </body>
> </html>
> ********************************************
>
>
> <html>
> <body>
> <p>THIS IS hUNT3R aka:Bipin Gautam, exploit revised by
> Cyberdude</p>
> <script>
> document.write("<b>hUNTER &
> Cyberdude</b></script><script>alert("it works 1");
> alert("This works 2");
> </script>
> </body>
> </html>
>
> *********************************************
> --[Description]---
> The browser is letting you compile some-thing inside
> the alert function. Well, its should show it anyways
> without compiling the script tag as it is inside the
> quotation. But surprising, the output is different! We
> found JavaScript compiler choked when we use the
> <script> tag inside a function like alert(); this also
> proves to be true for document.write(); function. This
> means that this script is going to choke bad and you
> wont get any output but just the ); that's all.
>
> This script is working. Its not that it is not
> working. It works in the starting script tag but when
> the html parses the script tag inside the
> document.write it goes mad coz nested scripting is not
> possible in HTML, the only nested tag in HTML must be
> the table tag, so in this script the HTML interpreter
> goes mad. but we can still insert the java script in
> it.
>
> What we did was, we inserted the closing tag of
> JavaScript </script> first closing the script tag that
> was opened already. After that we added the new
> starting <script> tag and wrote two alert tags now...
> So this is how we injected two alert tags in the java
> script.
> --- [Conclusion] ---
> This proves injection of JavaScript inside a
> JavaScript making it available to use the current
> variable and change some static values predefined and
> even access other function without a problem. This was
> just a small demo; we use this simple script to just
> stop it from printing garbage on the screen.
> --- [Background Information] ---
> This bug was originally discovered by hUNT3R,[myself]
> a member of 01 Security Submission. I would like to
> thank my friend 'Cyberdude' for further exploring it
> and taking it to a new Level.
> http://www.ysgnet.com/hn
> ---[I want a JOB/scholarship... anyone??? - hUNT3R]---
>
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html