Fwd: GOBBLES RESPONSE TO THE BLUE BOAR ("fixed version")

[gobbles () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


[Blue Boar's personal attacks have been ignored in this version.]

- -----Quoted Message-----
From: gobbles () hushmail com
Sent: Fri, 10 May 2002 22:06:16 -0700
To: bugtraq () securityfocus com
Subject: GOBBLES RESPONSE TO THE BLUE BOAR

>  I was initially a bit confused, since none of your examples worked when I
>  tried them. However, after a quick Google search, I found this page:
>  http://www.javascriptkit.com/javatutors/entity3.shtml
>
>  Which says that Javascript entities are not supported in IE. They've been
>  supported in Netscape since 3.0, but experimentation shows that they don't
>  work in Mozilla 0.99. I don't have Opera to test. They do work in Netsape
>  4.78 on Win98SE. I think it's likely that this feature only works in
>  Netscape 3.x through 4.7x, which I believe have been abandoned for further
>  updates, so they shouldn't be used if you're trying to be secure.
>
>  Hang on...
>  Dave Ahmad reports that he can't get them to work on MSIE 6.0.26 / Windows
>  ME and Opera 6.0 Technology Preview 3 Build 98, on Linux 2.2.16-22. He can
>  get it to work on Netscape 4.75 on Linux.
>
>  What browsers did you test?

GOBBLES LABS has tested various versions of Netscape and Galeon. Blue Boar,
we'll have to disagree with you here since we're sure the number of people
using these browsers is much higher than the total number of sites using the
collective mass of scripts vulnerable to cross-scripting attacks that have
made their debut on Vuln-Dev. With the work of Georgi Guninski
(www.guninski.com), would you really use IE?

This is a concern. I'm sure we both agree on the security implications of
the cross-site scripting attack...


>  <snip>
>
>
>
>  As the uhh.. vendor for this site, my official response is that your CSS
>  example at thievco.com is completely irrelevent. As you mention yourself,

You're not the vendor. Matt Wright is the vendor. We haven't audited
anything you've written.


>  I allow arbitrary HTML in the guestbook, so there is no point in using a
>  CSS attack. What mischief can be accomplished with my guestbook is a
>  superset of CSS.

Blue Boar, you're using the perspective of the would-be attacker. As a
security list, Bugtraq is only concerned with the holes themselves, rather
than with their relative importance to the intruder. The difference between
the cracker and the security auditor is that the cracker only needs one
hole, whereas the security auditor needs to identify as many as possible. We
are, of course, whitehat auditors. What mischief can be accomplished with
your guestbook is only a subset of how much other mischief can be caused on
sites that use Matt Wright's guestbook script.

The point of the argument was Matt Wright's guestbook script being
vulnerable to CSS attacks. The fact your site uses it is purely incidental.
The argument put forth in our unbutchered version of the advisory was that
even if the administrator doesn't allow HTML, the JavaScript Entity can
still effect a cross-site scripting attack -- even if it *is* only against
the 10 or 20 people in the world who use Netscape 4.7x.

>  Suggest you take a look at the history of other problems with Guestbook.

The history has no bearing on this CSS hole.

>  It hasn't been maintained in years, and previous attempts to contact the
>  author have gone unanswered (did you try?) You might consider releasing a
>  patch for it with your information. Since it has known holes and is
>  unmaintained, I recommend that it not be used on sites that one is
>  concerned about being broken into. Since my site is hosted, anyone with
>  $20 can have a shell on that machine, so breakins are not a large concern
>  for me.
>
>  Thanks for thinking of me, though. Sorry that I don't have time like Dave
>  to edit your posts to vuln-dev to make them suitable for publishing.


bash-2.05$ strings xwall | grep 7


>                                                  BB

Shameless plug: GOBBLES now has our very own comic strip. Preview at http://www.bugtraq.org/. More coming in the future.

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAjzd7C4VHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPk64A
nRZTw6muwtJLswT0M53jvbuCu1S9AJ9zlszs0JRaNCX3TLtrpWio6b9zfg==
=fLDC
-----END PGP SIGNATURE-----