the typo was <input value="%22 <script>something</script>"><br><br><div class="gmail_quote">On Mon, May 5, 2008 at 10:50 AM, Jon Daley <<a href="mailto:plogworld@jon.limedaley.com">plogworld@jon.limedaley.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> I understand that XSS can do stuff, I'd just like to see a specific example for this particular bug. From the example on security focus, it had an empty value="" in the submit tag, which I am assuming is a typo, otherwise I don't see how there is anything that can be done on the server side to fix it.<br>
Can anyone make a bit of javascript that actually gets something interesting using this bug? Then we can look into general purpose solutions for fixing it, rather than one input at a time.<div><div></div><div class="Wj3C7c">
<br>
<br>
On Mon, 5 May 2008, Matt Wood wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Here is a common exploitation scenario for you...<br>
<br>
An Attacker is targeting the <a href="http://lifetype.net" target="_blank">lifetype.net</a> site, he wants admin.<br>
<br>
He knows from emails and reading around that Oscar, Reto, Mark and Jon are<br>
likely to have admin on that page, so he makes a webpage on geocities or<br>
google or something.<br>
<br>
On this webpage he has javascript (or a meta refresh tag or an HTTP 302)<br>
that immediately redirects you to <a href="http://lifetype.net/admin.php" target="_blank">lifetype.net/admin.php</a> with some<br>
javascript payload utilitizing the XSS exploit.<br>
<br>
This javascript payload can utilize XSS to create an img tag, this img tag<br>
has a src of <a href="http://attackpage/record.php?data=admincredentials-base64ed%28orsomething%29" target="_blank">http://attackpage/record.php?data=admincredentials-base64ed(orsomething)</a><br>
as long as the data fits in the get parameters. You could also<br>
create a form and have no limit.<br>
<br>
Now all the attacker has to do is email each of you telling you that he has<br>
found a serious bug in lifetype, and he has screenshots on this page<br>
<a href="http://google/blah.%28html%7Cphp%7Cjpg%29" target="_blank">http://google/blah.(html|php|jpg)</a> (depending on his level of control of the<br>
site). Maybe he even puts screen shots on there so it doesn't look too<br>
scary... and uses an iframe to do the actual attack. You would never know<br>
unless you are monitoring all your traffic through a proxy.<br>
<br>
XSS is ALWAYS serious.<br>
<br>
On Mon, May 5, 2008 at 1:00 AM, Mark Wu <<a href="mailto:markplace@gmail.com" target="_blank">markplace@gmail.com</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Can you post an example? I am still not getting how<br>
the server-side is involved. I understand that if I put<br>
javascript on the admin's site, the javascript would have<br>
access to stuff, but the browser is supposed to block<br>
javascript from grabbing stuff from one site and posting it<br>
to another, right? So, somehow he grabs stuff via<br>
javascript, posts it to admin.php which then posts stuff to<br>
another site?<br>
</blockquote>
<br>
I have no idea either. Reto, if you can provide an example here, that<br>
willl<br>
very helpful.<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Sure, that's fine, but as far as I can tell, all inputs<br>
would be susceptible to the same problem, so fixing one<br>
variable isn't really a fix.<br>
</blockquote>
<br>
Not "all" inputs, just those inputs that we use string validator and does<br>
not filtered by htmlfilter( strip tags) or displayed without escape html<br>
special characters ...<br>
<br>
I think quite few ..<br>
<br>
Mark<br>
<br>
_______________________________________________<br>
pLog-svn mailing list<br>
<a href="mailto:pLog-svn@devel.lifetype.net" target="_blank">pLog-svn@devel.lifetype.net</a><br>
<a href="http://limedaley.com/mailman/listinfo/plog-svn" target="_blank">http://limedaley.com/mailman/listinfo/plog-svn</a><br>
<br>
</blockquote>
<br>
</blockquote>
<br></div></div>
-- <br><div class="Ih2E3d">
Jon Daley<br>
<a href="http://jon.limedaley.com/" target="_blank">http://jon.limedaley.com/</a><br>
<br></div>
Truth is beautiful, without doubt; but so are lies.<br>
-- Ralph Waldo Emerson<div><div></div><div class="Wj3C7c"><br>
_______________________________________________<br>
pLog-svn mailing list<br>
<a href="mailto:pLog-svn@devel.lifetype.net" target="_blank">pLog-svn@devel.lifetype.net</a><br>
<a href="http://limedaley.com/mailman/listinfo/plog-svn" target="_blank">http://limedaley.com/mailman/listinfo/plog-svn</a><br>
</div></div></blockquote></div><br>