[38572] in bugtraq
Possible XSS in User-Agent
daemon@ATHENA.MIT.EDU (Nicolas Montoza)
Mon Apr 25 15:10:26 2005
Message-ID: <d5a0834f050424210571867668@mail.gmail.com>
Date: Mon, 25 Apr 2005 01:05:21 -0300
From: Nicolas Montoza <xonico@gmail.com>
Reply-To: Nicolas Montoza <xonico@gmail.com>
To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com,
news@securiteam.com, bugs@securitytracker.com,
submissions@packetstormsecurity.org, vuln@secunia.com
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Analyzing User Agent does not make filters of anyone type, being able
to inject xss or HTML.
POC
===
let us suppose that the page we visit has the navigatorīs check
You are sailing with Mozila Firefox....
In php, this simply is
<? echo $HTTP_USER_AGENT ?>
then we install any kind of soft which allows us to modify the user
agent, in mozila _firefox you could use this plugin
https://addons.update.mozilla.org/extensions/moreinfo.php?id=59
Example:
USER AGENT: <h1>Soulblack</h1>
USER AGENT:<script>alert('SoulBlack')</script>
it works correctly :).
The logfile of apache ;
127.0.0.1 - - [23/Jan/2006:14:54:02 +0000] "GET /favicon.ico HTTP/1.1"
404 283 "-" "<script>alert('SoulBLack')</script>" "-"
the tests were made with php and apache.
The bug could be in php, or in the protocol , we have not even probe
in another language like asp , etc ...
if the bug resides in the protocol, the model of control of user agent
could be [a-z][0-9] .
Any suggest or comment?
POC created by Soulblack Group.
www.soulblack.com.ar
--
SoulBlack - Security Research
http://www.soulblack.com.ar
