CSS bug in Winamp

From: DownBload (downbloadat_private)
Date: Sun Aug 04 2002 - 15:40:35 PDT

Next message: Matthew Murphy: "[Full-Disclosure] Xitami Connection Flood Server Termination Vulnerability"

Previous message: Jelmer: "Bypassing cookie restrictions in IE 5+6"
Next in thread: Chris: "Re: CSS bug in Winamp"
Reply: Chris: "Re: CSS bug in Winamp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) [ Illegal Instruction Security Research Labs Advisory ] [--------------------------------------------------------------------] Advisory name: CSS bug in Winamp Advisory number: 8 Application: Winamp Vendor: Nullsoft WEB: www.winamp.com Tested on: Winamp 2.76 and 2.79 (Windows 98) Impact: CSS execution during generation of html playlist Discovered by: DownBload Mail me @: downbloadat_private ------[ Overview Winamp is (as we all know) the most popular mp3 player. ------[ Problem ID3v2 tag in mp3 file contains some information about mp3 file (artist, title, album, commet, etc.). Winamp supports creation of html playlist from winamp playlist. During generation process in html file is written only 'artist' and 'title' section of ID3v2 tag. In 'artist' and 'title' section, we can put arbitrary CSS code, which will be executed when html playlist will be generated, and shown with default web browser. ------[ Example Open 'view file info' on some mp3 file (read only flag on that file must be removed), and edit ID3v2 tag. Put some text in 'artist' section (if you wanna fool somebody, it is the best to write the name of the artist and song name in 'artist' section. After that put some blank space characters (around 100) and . after that), and CSS code which will be executed in 'title' section. For testing purpose, in 'title' section, you can put: -----cut here----- <script> alert ("HI!!!"); </script> -----cut here----- You can put some blank space (in 'title' section) before CSS code too. After that generate html file from playlist, and you will see msgbox, with text HI!!! ------[ GREETZ Goes to Illegal Instruction Labs (Boyscout, h4z4rd, Sunnis, Styx), www.active-security.org, finis, Fr1c, harlequin, st0rm, phreax, all of #hr.hackers <irc.carnet.hr>. Thanks to dr_cr@zy for providing me with hardware support, when my computer is on vacation :). Very special greetz go to |<4r0l1n4. I'm very sorry if I forgot someone...

Next message: Matthew Murphy: "[Full-Disclosure] Xitami Connection Flood Server Termination Vulnerability"
Previous message: Jelmer: "Bypassing cookie restrictions in IE 5+6"
Next in thread: Chris: "Re: CSS bug in Winamp"
Reply: Chris: "Re: CSS bug in Winamp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 06 2002 - 09:10:36 PDT