On Wed, 14 Jul 2004, Seth Alan Woolley wrote: > If the topic of exploiting browsers to gain unauthorized access to > websites with buggy input validation is back in vogue, here's a strange > situation for you that _only_ works in mozilla-based browsers: > > http://bugzilla.mozilla.org/show_bug.cgi?id=226495
See http://www.w3.org/TR/html401/appendix/notes.html#h-B.3.7 (and "SHORTTAG ON" in http://www.w3.org/TR/html401/sgml/sgmldecl.html) <div><script src="indexvuln.js"</div> should be interpreted as <div><script src="indexvuln.js"></script></div> W3 HTML validator interprets it this way (complaining about missing </script>). There are two questions: 1. Should Mozilla support this bizzare esoteric feature of HTML? (in fact, this is a bizzare esoteric feature of SGML) 2. Should Mozilla mangle the source when you view it? I believe the answer is "no" in both cases. Ad 1. That support should be completely eliminated or at least made configurable and disabled by default. Ad 2. I really hate it. It's like MSIE turning \'s into /'s in URL. > If you read the comments on the reported bug, they seemed to fail to > understand the bug and how easy it would be to fix while maintaining > backwards compatibility. Then they resolved it duplicated on me when it > wasn't the same bug as the other bug, essentially keeping it quiet. Excuse me? As far as I can tell it is the same problem. The only difference is the fact you demonstrated possible security consequences of it. > Lots of perl and php scripts exist out there that filter for the regular > expression '<.*>' matching only whole tags instead of '[<>]' which > matches either end of a tag. The mistake made by those scripts is obvious: they attempt to deny bad things and allow everything else rather than allow known good things (ie. well-formed documents in some harmless subset of (X)HTML) and deny everything else. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
