Full Disclosure mailing list archives
Re: [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler?
From: bipin gautam <visitbipin () yahoo com>
Date: Fri, 10 Oct 2003 19:28:01 -0700 (PDT)
The browser is letting you compile some-thing inside the alert function. Well, its should show it anyways without compiling the script tag as it is inside the quotation. But surprising, the output is different!
This proves injection of JavaScript inside a
JavaScript making it available to use the current variable and change some static values predefined
and
even access other function without a problem.
THIS COULD BE USED IN MANY ATTACK................................ AND CAN BE A LOT OF PROBLEM TO THE WEBSITE where poor JS is used... --------------------------------------- --- jelmer <jkuperus () planet nl> wrote:
This is the code you send <html> <body> <p>THIS IS hUNT3R aka:Bipin Gautam, exploit revised by Cyberdude</p> <script> document.write("<b>hUNTER & Cyberdude</b></script><script>alert("it works 1"); alert("This works 2"); </script> </body> </html> this gives an Unterminated string constant error followed by 2 alerts, which is exactly what it should do 1. <script>document.write("<b>hUNTER & Cyberdude</b></script> this gives the unterminated string constant, your simply not closing your string, <b>hUNTER & Cyberdude never gets written out 2. <script>alert("it works 1"); alert("This works 2"); </script> This is perfectly valid and thus executes I really dont see what your trying to do or what the threat would be when you got whatever your trying to do to work --jelmer ----- Original Message ----- From: "bipin gautam" <visitbipin () yahoo com> To: <Full-Disclosure () lists netsys com> Cc: <bugtraq () securityfocus com> Sent: Friday, October 10, 2003 7:16 PM Subject: [Full-disclosure] [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler?--- [Effected] --- All versions of "OPERA, MOZILLA and INTERNETEXPLORER"available up to this, relese DATE! --- [Proof of concept] --- We have made a small script. Check it out, http://www.cyberdude.com.np/javascript.htm --- [Bug Details] --- ******************************************** <html> <body> <p>THIS IS hUNT3R aka: Bipin Gautam</p>
<script>alert("<script>location.href="http://www.ysgnet.com"</script>")</scr
ipt></body> </html> ******************************************** <html> <body> <p>THIS IS hUNT3R aka:Bipin Gautam, exploitrevised byCyberdude</p> <script> document.write("<b>hUNTER & Cyberdude</b></script><script>alert("it works 1"); alert("This works 2"); </script> </body> </html> ********************************************* --[Description]--- The browser is letting you compile some-thinginsidethe alert function. Well, its should show itanywayswithout compiling the script tag as it is insidethequotation. But surprising, the output isdifferent! Wefound JavaScript compiler choked when we use the <script> tag inside a function like alert(); thisalsoproves to be true for document.write(); function.Thismeans that this script is going to choke bad andyouwont get any output but just the ); that's all. This script is working. Its not that it is not working. It works in the starting script tag butwhenthe html parses the script tag inside the document.write it goes mad coz nested scripting isnotpossible in HTML, the only nested tag in HTML mustbethe table tag, so in this script the HTMLinterpretergoes mad. but we can still insert the java scriptinit. What we did was, we inserted the closing tag of JavaScript </script> first closing the script tagthatwas opened already. After that we added the new starting <script> tag and wrote two alert tagsnow...So this is how we injected two alert tags in thejavascript. --- [Conclusion] --- This proves injection of JavaScript inside a JavaScript making it available to use the current variable and change some static values predefinedandeven access other function without a problem. Thiswasjust a small demo; we use this simple script tojuststop it from printing garbage on the screen. --- [Background Information] --- This bug was originally discovered byhUNT3R,[myself]a member of 01 Security Submission. I would liketothank my friend 'Cyberdude' for further exploringitand taking it to a new Level. http://www.ysgnet.com/hn ---[I want a JOB/scholarship... anyone??? -hUNT3R]---__________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved productsearchhttp://shopping.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter:http://lists.netsys.com/full-disclosure-charter.html
__________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler? bipin gautam (Oct 10)
- Re: [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler? J. Race (Oct 10)
- Re: [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler? bipin gautam (Oct 10)
- Re: [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler? jelmer (Oct 10)
- Re: [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler? bipin gautam (Oct 10)
- Re: [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler? J. Race (Oct 10)