Possible XSS in User-Agent

[Nicolas Montoza <xonico@xxxxxxxxx>]

Analyzing User Agent does not make filters of anyone type, being able
to inject xss or HTML.

POC
===

let us suppose that the page we visit has the navigator´s check

You are sailing with Mozila Firefox....

In php, this simply is

<? echo $HTTP_USER_AGENT ?>

then we install any kind of soft which allows us to modify the user
agent,  in mozila _firefox you could use this plugin

https://addons.update.mozilla.org/extensions/moreinfo.php?id=59

Example:

USER AGENT: <h1>Soulblack</h1>
USER AGENT:<script>alert('SoulBlack')</script>

it works correctly :).

The logfile of apache ;

127.0.0.1 - - [23/Jan/2006:14:54:02 +0000] "GET /favicon.ico HTTP/1.1"
404 283 "-" "<script>alert('SoulBLack')</script>" "-"

the tests were made with php and apache.

The bug could be in php, or in the protocol , we have not even probe
in another language like asp , etc ...
if the bug resides in the protocol, the model of control of user agent
could  be   [a-z][0-9] .

Any suggest or comment?

POC created by Soulblack Group.
www.soulblack.com.ar

--
 SoulBlack - Security Research
 http://www.soulblack.com.ar