Possible XSS in User-Agent
Analyzing User Agent does not make filters of anyone type, being able
to inject xss or HTML.
POC
===
let us suppose that the page we visit has the navigator´s check
You are sailing with Mozila Firefox....
In php, this simply is
<? echo $HTTP_USER_AGENT ?>
then we install any kind of soft which allows us to modify the user
agent, in mozila _firefox you could use this plugin
https://addons.update.mozilla.org/extensions/moreinfo.php?id=59
Example:
USER AGENT: <h1>Soulblack</h1>
USER AGENT:<script>alert('SoulBlack')</script>
it works correctly :).
The logfile of apache ;
127.0.0.1 - - [23/Jan/2006:14:54:02 +0000] "GET /favicon.ico HTTP/1.1"
404 283 "-" "<script>alert('SoulBLack')</script>" "-"
the tests were made with php and apache.
The bug could be in php, or in the protocol , we have not even probe
in another language like asp , etc ...
if the bug resides in the protocol, the model of control of user agent
could be [a-z][0-9] .
Any suggest or comment?
POC created by Soulblack Group.
www.soulblack.com.ar
--
SoulBlack - Security Research
http://www.soulblack.com.ar