Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA)

From: jon schatz (jonat_private)
Date: Thu Feb 07 2002 - 13:20:08 PST

Next message: Robert Collins: "Re: directory traversal"

Previous message: Bugtraq Mailing Lists: "Re: chaging your @home IP address... could you take a bunch of them....probably."
In reply to: Mark Renouf: "Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA)"
Next in thread: Mark Renouf: "Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2002-02-07 at 08:40, Mark Renouf wrote:
> obscure wrote:
> FYI: Mozilla 0.9.8+ gives an alert:
> "Access to the port number given has been disabled for security reasons."

this is one of those ancient netscape-isms. there are certain ports that
you've never been able to connect to. While i can't seem to find an
exact list anywhere, i did find this in some iplanet docs, and i assume
this is implemented the same way in the mozilla core:

"To avoid protocol spoofing by rouge/misconfigured URLs, iPlanet Web
Proxy Server does not allow clients to connect on certain reserved
ports.

If using an HTTP URL, the client may not configure the URL to use the
following ports:

1, 7, 9, 11, 13, 15, 17, 19, 20, 21, 23, 25, 37, 42, 43, 53, 70, 77, 79,
87, 95, 101, 102, 103, 104, 109, 110, 111, 113, 115, 117, 119, 135, 143,
389, 512, 513, 514, 515, 526, 530, 531, 532,540, 556, 601, 6000"

http://docs.iplanet.com/docs/manuals/proxy/36/adminnt/resport.htm

also (just for grins), i tried something similar with apache (since port
80 is ok):

[jon@opiate jon]$ nc localhost 80
GET /<script>alert(document.cookie)</script> HTTP/1.0

HTTP/1.1 404 Not Found
<--snip-->
<H1>Not Found</H1>
<--snip-->
The requested URL /&lt;script&gt;alert(document.cookie)&lt;/script&gt;
was not found on this server.<P>
<HR>

i also tested with squid (notice port 3128 isn't in the blocked list):

HTTP/1.0 400 Bad Request
<--snip-->
While trying to retrieve the URL:
<A
HREF="/&lt;script&gt;alert(document.cookie)&lt;/script&gt;">/&lt;script&gt;alert(document.cookie)&lt;/script&gt;</A>
<--snip-->

both of them encoded the <>'s.

and finally, i tried with iis. i got back an error page that made no
mention of the url i requested.

there are alot of other services on the web that may or may not echo
back commands though, so i bet there are more versions of this same
exploit.

-jon

-- 
jonat_private || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus?: www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."

application/pgp-signature attachment: This is a digitally signed message part

Next message: Robert Collins: "Re: directory traversal"
Previous message: Bugtraq Mailing Lists: "Re: chaging your @home IP address... could you take a bunch of them....probably."
In reply to: Mark Renouf: "Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA)"
Next in thread: Mark Renouf: "Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 14:03:34 PST