Re: [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler?

[bipin gautam <visitbipin () yahoo com>]

> The browser is letting you compile some-thing inside
> the alert function. Well, its should show it anyways
> without compiling the script tag as it is inside the
> quotation. But surprising, the output is different!

This proves injection of JavaScript inside a
> JavaScript making it available to use the current
> variable and change some static values predefined
and
> even access other function without a problem.

THIS COULD BE USED IN MANY
ATTACK................................ AND CAN BE A
LOT OF PROBLEM TO THE WEBSITE where poor JS is used...
---------------------------------------
--- jelmer <jkuperus () planet nl> wrote:
> This is the code you send
>
> <html>
> <body>
> <p>THIS IS hUNT3R aka:Bipin Gautam, exploit revised
> by
> Cyberdude</p>
> <script>
> document.write("<b>hUNTER &
> Cyberdude</b></script><script>alert("it works 1");
> alert("This works 2");
> </script>
> </body>
> </html>
>
>
> this gives an Unterminated string constant error
> followed by 2 alerts, which
> is exactly what it should do
>
> 1. <script>document.write("<b>hUNTER &
> Cyberdude</b></script>
>
> this gives the unterminated string constant, your
> simply not closing your
> string, <b>hUNTER & Cyberdude never gets written out
>
> 2. <script>alert("it works 1"); alert("This works
> 2"); </script>
>
> This is perfectly valid and thus executes
>
>
> I really dont see what your trying to do or what the
> threat would be when
> you got whatever your trying to do to work
>
> --jelmer
>
>
>
>
>
> ----- Original Message ----- 
> From: "bipin gautam" <visitbipin () yahoo com>
> To: <Full-Disclosure () lists netsys com>
> Cc: <bugtraq () securityfocus com>
> Sent: Friday, October 10, 2003 7:16 PM
> Subject: [Full-disclosure] [A bug! update...] Whom
> to blame, the HTML
> interpreter or the JavaScript compiler?
>
>
> > --- [Effected] ---
> > All versions of "OPERA, MOZILLA and INTERNET
> EXPLORER"
> > available up to this, relese DATE!
> > --- [Proof of concept] ---
> > We have made a small script. Check it out,
> > http://www.cyberdude.com.np/javascript.htm
> > --- [Bug Details] ---
> > ********************************************
> > <html>
> > <body>
> > <p>THIS IS hUNT3R aka: Bipin Gautam</p>
<script>alert("<script>location.href="http://www.ysgnet.com";</script>")</scr
> ipt>
> > </body>
> > </html>
> > ********************************************
> >
> >
> > <html>
> > <body>
> > <p>THIS IS hUNT3R aka:Bipin Gautam, exploit
> revised by
> > Cyberdude</p>
> > <script>
> > document.write("<b>hUNTER &
> > Cyberdude</b></script><script>alert("it works 1");
> > alert("This works 2");
> > </script>
> > </body>
> > </html>
> >
> > *********************************************
> > --[Description]---
> > The browser is letting you compile some-thing
> inside
> > the alert function. Well, its should show it
> anyways
> > without compiling the script tag as it is inside
> the
> > quotation. But surprising, the output is
> different! We
> > found JavaScript compiler choked when we use the
> > <script> tag inside a function like alert(); this
> also
> > proves to be true for document.write(); function.
> This
> > means that this script is going to choke bad and
> you
> > wont get any output but just the ); that's all.
> >
> > This script is working. Its not that it is not
> > working. It works in the starting script tag but
> when
> > the html parses the script tag inside the
> > document.write it goes mad coz nested scripting is
> not
> > possible in HTML, the only nested tag in HTML must
> be
> > the table tag, so in this script the HTML
> interpreter
> > goes mad. but we can still insert the java script
> in
> > it.
> >
> > What we did was, we inserted the closing tag of
> > JavaScript </script> first closing the script tag
> that
> > was opened already. After that we added the new
> > starting <script> tag and wrote two alert tags
> now...
> > So this is how we injected two alert tags in the
> java
> > script.
> > --- [Conclusion] ---
> > This proves injection of JavaScript inside a
> > JavaScript making it available to use the current
> > variable and change some static values predefined
> and
> > even access other function without a problem. This
> was
> > just a small demo; we use this simple script to
> just
> > stop it from printing garbage on the screen.
> > --- [Background Information] ---
> > This bug was originally discovered by
> hUNT3R,[myself]
> > a member of 01 Security Submission. I would like
> to
> > thank my friend 'Cyberdude' for further exploring
> it
> > and taking it to a new Level.
> > http://www.ysgnet.com/hn
> > ---[I want a JOB/scholarship... anyone??? -
> hUNT3R]---
> > __________________________________
> > Do you Yahoo!?
> > The New Yahoo! Shopping - with improved product
> search
> > http://shopping.yahoo.com
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.netsys.com/full-disclosure-charter.html


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html