Bugtraq mailing list archives
Re: MAGIC XSS INTO THE DNS: coelacanth
From: <qazxdrgb () hotmail com>
Date: 17 Jun 2004 20:49:37 -0000
In-Reply-To: <200406151517.i5FFH8pC029012 () web179 megawebservers com> This just plain simple XSS attacks, and additionally it relies on a (long since?) patched vulnerability in IIS.
Still unclear how or why this can be interpreted into the site or through the browser.
What is unclear? 1. they allow (whatever).(domainanme) hostnames into site. That is not very uncommon. 2. they generate absolute paths by concatenating "http://"+hostname+"/URI" 3. webserver does not abort with HTTP/1.1 400 Bad Request as it should. This is not that uncommon, looking for this we will most likely find it in a lot of CGI/PHP/JSP/ASP code. Luckily, the attack requires the host to accept silly hostnames. The problem with e-gold.com is that they use an old webserver with an already fixed IIS vulnerability I think; bash-2.02$ cat test.txt GET /hello/just/a/test/please/forgive/me HTTP/1.1 Host: "><script>alert()</script> bash-2.02$ nc www.microsoft.com 80 < test.txt HTTP/1.1 400 Bad Request Content-Type: text/html Date: Thu, 17 Jun 2004 20:15:07 GMT Connection: close Content-Length: 20 <h1>Bad Request</h1>bash-2.02$ nc www.e-gold.com 80 < test.txt HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/4.0 Date: Thu, 17 Jun 2004 20:15:56 GMT Connection: close Content-Length: 930 Content-Type: text/html <cut junk> To extend the attack to more systems, one need to find dangerous meta characters which are not filtered by normal Bad Request / Bad Address filters. I did a very hasty search for webservers which would output unformated hostnames or URI's in error messages, without any luck. But I am certain someone more tenacious will succeed. The net is vast. Basically, searches for potential vulnerable sites can be automated by testing the pattern such as: GET / HTTP/1.1 Host: XXXXXXXXXXXXXXXXX GET /some_script HTTP/1.1 Host: XXXXXXXXXXXXXXXXX GET /GIVE-ME-NOT-FOUND HTTP/1.1 Host: XXXXXXXXXXXXXXXXX GET GIVE-ME-BAD-URI HTTP/1.1 Host: XXXXXXXXXXXXXXXXX Do we get XXXXXXXXXXXXXXXXX back in HTML? Would be pretty easy to add the most basic searches to vulnerability scanners I think. Sincerly yours, Peter, 11a nu
Current thread:
- MAGIC XSS INTO THE DNS: coelacanth http-equiv () excite com (Jun 15)
- <Possible follow-ups>
- Re: MAGIC XSS INTO THE DNS: coelacanth qazxdrgb (Jun 18)