OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chris (prgmrchris2k1_at_yahoo.com)
Date: Fri Aug 09 2002 - 11:39:24 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    --- DownBload <downbloadhotmail.com> wrote:
    >
    >
    > [ Illegal Instruction Security Research Labs
    > Advisory ]
    >
    [--------------------------------------------------------------------]
    > Advisory name: CSS bug in Winamp
    > Advisory number: 8
    > Application: Winamp
    > Vendor: Nullsoft
    > WEB: www.winamp.com
    > Tested on: Winamp 2.76 and 2.79 (Windows 98)
    > Impact: CSS execution during generation of html
    > playlist
    > Discovered by: DownBload
    > Mail me : downbloadhotmail.com
    >
    >
    >
    >
    > ------[ Overview
    > Winamp is (as we all know) the most popular mp3
    > player.
    >
    >
    >
    >
    > ------[ Problem
    > ID3v2 tag in mp3 file contains some information
    > about mp3 file (artist,
    > title, album, commet, etc.). Winamp supports
    > creation of html playlist
    > from winamp playlist.
    > During generation process in html file is written
    > only 'artist'
    > and 'title' section of ID3v2 tag.
    > In 'artist' and 'title' section, we can put
    > arbitrary CSS code, which will
    > be executed when html playlist will be generated,
    > and shown with default
    > web browser.
    >
    >
    >
    >
    > ------[ Example
    > Open 'view file info' on some mp3 file (read only
    > flag on that file must
    > be removed), and edit ID3v2 tag. Put some text in
    > 'artist' section (if you
    > wanna fool somebody, it is the best to write the
    > name of the artist and
    > song name in 'artist' section. After that put some
    > blank space characters
    > (around 100) and . after that), and CSS code which
    > will be executed
    > in 'title' section. For testing purpose, in 'title'
    > section, you can put:
    > -----cut here-----
    > &lt;script&gt; alert ("HI!!!"); &lt;/script&gt;
    > -----cut here-----
    > You can put some blank space (in 'title' section)
    > before CSS code too.
    > After that generate html file from playlist, and you
    > will see msgbox, with
    > text HI!!!
    >
    >
    >
    > ------[ GREETZ
    > Goes to Illegal Instruction Labs (Boyscout, h4z4rd,
    > Sunnis, Styx),
    > www.active-security.org, finis, Fr1c, harlequin,
    > st0rm, phreax, all of
    > #hr.hackers <irc.carnet.hr>.
    > Thanks to dr_crzy for providing me with hardware
    > support, when my computer
    > is on vacation :).
    > Very special greetz go to |<4r0l1n4.
    > I'm very sorry if I forgot someone...

    This appears to be corrected in Winamp 2.80, as i was
    unable to get the exploit functional.

    - Chris (chrisbox.sk)
    http://linux.box.sk/
    http://blacksun.box.sk/

    __________________________________________________
    Do You Yahoo!?
    HotJobs - Search Thousands of New Jobs
    http://www.hotjobs.com