OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Brett Moore (brettsoftwarecreations.co.nz)
Date: Fri Feb 01 2002 - 16:24:51 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    People are talking about CSS, yes still after many years it is a security
    problem. Some people say 'what sort of a problem, yes you can steal cookies
    but what else?,

    So how about new ideas.

    How about using CSS to exploit vulnerabilities in web sites, with some
    degree of anonyminity.

    Example:

    hello.asp takes 1 paramater (name) that is displayed to the screen with no
    cleansing.

    /hello.asp?name = <iframe
    src=http://vuln.iis.server/scripts/root.exe?/c+dir></iframe>

    I used iframe in the example as it shows something visible on the screen.
    But an attacker would need no response from the server so image tags etc are
    all viable.

    Example Scenario.
    -----------------

    Web board has CSS and also runs vuln iis. Attacker posts message with css
    exploit that kills the server. User comes along reads message and users ip
    gets logged as killing the server. This could even be set to kill a
    different iis server.

    ------------------

    Feedback is requested of course, and perhaps somebody will have time and
    energy to test further.

    How about other exploits?
    Custom made .ida overflow code
    <iframe src=http://vuln.iis.server/a.ida?XXX....XXX{CUSTOM IDA OVERFLOW
    CODE}></iframe>

    Brett

    > -----Original Message-----
    > From: E M [mailto:rdnktrkhotmail.com]
    > Sent: Saturday, 2 February 2002 08:14
    > To: billpboarder.org; vuln-devsecurityfocus.com
    > Subject: Re: CSS, CSS & let me give you some more CSS
    >
    >
    > I think we are getting away from the original topic, CSS and how
    > it effects
    > you.
    >
    > Basically the general agreement is that cookie stealing via
    > embedded code is
    > the most dangerous use for CSS and the most common.