[bWM#012] Passing script/html-filter with special chars (multibrowser)

From: ben.moeckelat_private
Date: Tue Jul 29 2003 - 19:48:01 PDT

Next message: MARLON BORBA: "Re: IE6 SP1 - Trivial Crash"

Previous message: sloppy seconds: "RE: RPC DCOM still vulnerable even after applying patches"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ben moeckel security research - http://badWebMasters.net - security
advisories
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - 


badWebMasters security advisory #012:

	Passing script/html-filter with special chars (multibrowser)


Discovery date: 2003-07-16

Author: 

	ben moeckel (http://distressed.de)
	mailto: badwebmastersat_private


Description:

	When webbrowsers parse html they remove special chars,
	this behavior may be used by an malicious user to fool 
	script/html-filters in webapplications.


Detail:

	badWebMasters showed in their advisory #011 how to pass
	the "Snitz Forums"-scriptfilter with the Tab-Char (09).
	After "Opera" and "Mozilla"-users noticed that the
	provided exploit didn't work on their system I decided
	to start some new testings, with an amazing result!

	To detect what kind of special chars can be used in html-
	parameters I set up the following asp-page:

	-------------------------------------------2.asp---------
	<%@LANGUAGE=JScript%><%

	%><script>function a(o){alert(o)}</script><%
	%><img src="javascript:a('test')" /><%

	for(i=0;i<256;++i){
		uc = "%"+chk(i.toString(16));
		%><img src="ja<%=unescape(uc)%>vascript:a(<%=i%>)" />
	<% }

	function chk(sInp){if(sInp.length<2){
		return String("0"+sInp)
	}else{return sInp}}
	%>
	---------------------------------------------------------

	The page has been viewed with Mozilla, Opera and Internet-
	Explorer, the alert-box poped up in this order:

		Mozilla 1.3.1 (Win32): 	0 (with restricions)

		Opera 7.11 (Win32): 	0, 9, 10, 13, 173

		Internet Explorer 5.0:	13, 10, 9, 0

	Mozilla doesn't allow the window.alert()-method in "javascript:"-
	images, so I had to use my own function "a()". It also returned 
	an error for char 9, 10 and 13: "Error: unterminated regular 
	expression literal".

	Webmasters may be carefull with char 173 (ADh) that can be used
	in Opera only.

	And last but not least silly Internet Explorer: reversed order!?


Test:

	http://badwebmasters.net/advisory/012/test.asp


Workaround:

	This advisory adresses all webapps that use a badword filter,
	make sure all control-chars are removed before badwords are 
	removed!


References: 

	badWebMasters advisory #011: Cross-Site-Scripting @ Snitz Forums
	- http://cert.uni-stuttgart.de/archive/bugtraq/2003/04/msg00247.html


Feedback: 

	Comments, suggestions, updates, anything else?
		-> mailto:badwebmastersat_private


Source:

	http://badwebmasters.net/advisory/012/ (text/html)


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - 
Copyright 2003 by ben moeckel (Benjamin Klimmek) for badWebMasters.
http://badwebmasters.net

Next message: MARLON BORBA: "Re: IE6 SP1 - Trivial Crash"
Previous message: sloppy seconds: "RE: RPC DCOM still vulnerable even after applying patches"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 11:33:43 PDT