[Full-Disclosure] [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler?

From: bipin gautam (visitbipin_at_yahoo.com)
Date: 10/10/03

  • Next message: Patrick Dolan: "Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m" 
    To: full-disclosure@lists.netsys.com
Date: Fri, 10 Oct 2003 10:38:59 -0700 (PDT)

    --- [Effected] ---
    All versions of "OPERA, MOZILLA and INTERNET EXPLORER"
    available up to this, relese DATE!
    --- [Proof of concept] ---
    We have made a small script. Check it out,
    http://www.cyberdude.com.np/javascript.htm
    --- [Bug Details] ---
    ********************************************
    <html>
    <body>
    <p>THIS IS hUNT3R aka: Bipin Gautam</p>
    <script>alert("<script>location.href="http://www.ysgnet.com"</script>")</script>
    </body>
    </html>
    ********************************************

    <html>
    <body>
    <p>THIS IS hUNT3R aka:Bipin Gautam, exploit revised by
    Cyberdude</p>
    <script>
    document.write("<b>hUNTER &
    Cyberdude</b></script><script>alert("it works 1");
    alert("This works 2");
    </script>
    </body>
    </html>

    *********************************************
    --[Description]---
    The browser is letting you compile some-thing inside
    the alert function. Well, its should show it anyways
    without compiling the script tag as it is inside the
    quotation. But surprising, the output is different! We
    found JavaScript compiler choked when we use the
    <script> tag inside a function like alert(); this also
    proves to be true for document.write(); function. This
    means that this script is going to choke bad and you
    wont get any output but just the ); that’s all.

    This script is working. Its not that it is not
    working. It works in the starting script tag but when
    the html parses the script tag inside the
    document.write it goes mad coz nested scripting is not
    possible in HTML, the only nested tag in HTML must be
    the table tag, so in this script the HTML interpreter
    goes mad. but we can still insert the java script in
    it.

    What we did was, we inserted the closing tag of
    JavaScript </script> first closing the script tag that
    was opened already. After that we added the new
    starting <script> tag and wrote two alert tags now...
    So this is how we injected two alert tags in the java
    script.
    --- [Conclusion] ---
    This proves injection of JavaScript inside a
    JavaScript making it available to use the current
    variable and change some static values predefined and
    even access other function without a problem. This was
    just a small demo; we use this simple script to just
    stop it from printing garbage on the screen.
    --- [Background Information] ---
    This bug was originally discovered by hUNT3R,[myself]
    a member of 01 Security Submission. I would like to
    thank my friend 'Cyberdude' for further exploring it
    and taking it to a new Level.
    http://www.ysgnet.com/hn
    ---[I want a JOB/scholarship... anyone??? - hUNT3R]---

    __________________________________
    Do you Yahoo!?
    The New Yahoo! Shopping - with improved product search
    http://shopping.yahoo.com

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Patrick Dolan: "Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m"

    Relevant Pages

    • Re: Showing different image onmouseover when position is dynamic
      ... I'm trying to write a script so that when you mouse over each image, ... HTML on the linked page, you may want to read up on CSS. ... You posted a "quick sample", but didn't bother to simplify it, ... Throw out all JavaScript, leave one image in the "zoomed" state, and ...
      (comp.lang.javascript)
    • Re: encoding of scripts
      ... is not valid HTML - the fact that there is an end script tag in quotes ... causes the parser to stop recognising the script. ... The fact that there is an end tag causes that. ... By HTML 4.01 rules, yes. ...
      (comp.infosystems.www.authoring.html)
    • Re: Attaching functions to events, from external JS files
      ... >pre-existing HTML content using JavaScript DOM Level 1. ... >adding this type of contents doesn't require to write hardcoded HTML ... >that Mozilla doesn't support CSS. ... like they disable script. ...
      (comp.lang.javascript)
    • Re: how to Enable/Disable textbox dynamically
      ... I think that to recommend doing things for the sake of formal correctness alone without saying as much is a mistake, it undermines the credibility of your recommending doing things that are formally correct where doing them or not may make a difference, such your recommendation to correct the structural invalidity in the mark-up by not placing the SCRIPT elements as the first children of the HTML element ). ... Apart from demonstrating the use of a non-existing MIME type for javascript, they specified a TYPE attribute for SCRIPT elements but forgot to mirror it in NOSCRIPT element attributes but the NOSCRIPT content would not be shown either because javascript would be enabled on the browser). ...
      (comp.lang.javascript)
    • Re: Ajax / Javascript Fallback
      ... "Weil es HTML von sich aus kann" ist kein ... die an Javascript gar nicht interessiert sind, ... in jedem Fall immer das gesamte verändernde Script herunterladen. ... Das ist ein Argument. ...
      (de.comp.lang.javascript)
    • Quantcast