[25434] in bugtraq
Re: GOBBLES SECURITY ADVISORY #33
daemon@ATHENA.MIT.EDU (Blue Boar)
Fri May 10 23:48:02 2002
Date: Fri, 10 May 2002 20:31:06 -0700
From: Blue Boar <BlueBoar@thievco.com>
To: bugtraq@securityfocus.com
Message-id: <3CDC907A.1030501@thievco.com>
MIME-version: 1.0
Content-type: text/plain; format=flowed; charset=us-ascii
Content-transfer-encoding: 7bit
> What follows is GOBBLES advisory #33.
<snip>
> * JavaScript entities
> - ---------------------
>
> Only hotmail security historians like those at GOBBLES Security know of
> obscure feature in JavaScript language that make it easy to bypass thing
> like "<...>", "<script>...</script>", and "javascript:" filter for CSS
> attack using JavaScript. That is thing called JavaScript entity. Like...
>
> &{alert('GOBBLES')};
I was initially a bit confused, since none of your examples worked when I
tried them. However, after a quick Google search, I found this page:
http://www.javascriptkit.com/javatutors/entity3.shtml
Which says that Javascript entities are not supported in IE. They've been
supported in Netscape since 3.0, but experimentation shows that they don't
work in Mozilla 0.99. I don't have Opera to test. They do work in Netsape
4.78 on Win98SE. I think it's likely that this feature only works in
Netscape 3.x through 4.7x, which I believe have been abandoned for further
updates, so they shouldn't be used if you're trying to be secure.
Hang on...
Dave Ahmad reports that he can't get them to work on MSIE 6.0.26 / Windows
ME and Opera 6.0 Technology Preview 3 Build 98, on Linux 2.2.16-22. He can
get it to work on Netscape 4.75 on Linux.
What browsers did you test?
<snip>
> 3. thievco.com / Matt Wright's guestbook script
> - -----------------------------------------------
> Matt Wright's guestbook script can be found at:
>
> http://worldwidemart.com/scripts/guestbook.shtml
>
> To he credit, he has $allow_html variable that can strip "<...>" stuff, but
> once again, GOBBLES trademarked JavaScript Entity CSS Technique come to the
> rescue. Incidentally, The Blue Boar allows html in his guestbook fields, but
> as we just said, the presence of this does not determine whether or not we
> can use our CSS technique. We always can.
>
> if ($FORM{'url'}) {
> print GUEST "<a href=\"$FORM{'url'}\">$FORM{'realname'}</a>";
> }
>
> You see, even if html form do not have 'url' parameter, remote attacker can
> still create their own local html form pointing at The Blue Boar's website
> or some other site with Matt Wright's guestbook script. This permits them to
> inject malicious data via 'url' parameter that will allow CSS attacks on
> anyone viewing the guestbook.
As the uhh.. vendor for this site, my official response is that your CSS
example at thievco.com is completely irrelevent. As you mention yourself,
I allow arbitrary HTML in the guestbook, so there is no point in using a
CSS attack. What mischief can be accomplished with my guestbook is a
superset of CSS.
Suggest you take a look at the history of other problems with Guestbook.
It hasn't been maintained in years, and previous attempts to contact the
author have gone unanswered (did you try?) You might consider releasing a
patch for it with your information. Since it has known holes and is
unmaintained, I recommend that it not be used on sites that one is
concerned about being broken into. Since my site is hosted, anyone with
$20 can have a shell on that machine, so breakins are not a large concern
for me.
Thanks for thinking of me, though. Sorry that I don't have time like Dave
to edit your posts to vuln-dev to make them suitable for publishing.
BB
