Re: CSS bug in Winamp

Chris <prgmrchris2k1@yahoo.com> · Fri, 9 Aug 2002 09:39:24 -0700 (PDT)

--- DownBload <downbload@hotmail.com> wrote:
> 
> 
>         [ Illegal Instruction Security Research Labs
> Advisory ]
>
[--------------------------------------------------------------------]
> Advisory name: CSS bug in Winamp
> Advisory number: 8
> Application: Winamp 
> Vendor: Nullsoft
> WEB: www.winamp.com
> Tested on: Winamp 2.76 and 2.79 (Windows 98)
> Impact: CSS execution during generation of html
> playlist
> Discovered by: DownBload
> Mail me @: downbload@hotmail.com
> 
> 
> 
> 
> ------[ Overview
> Winamp is (as we all know) the most popular mp3
> player. 
> 
> 
> 
> 
> ------[ Problem
> ID3v2 tag in mp3 file contains some information
> about mp3 file (artist, 
> title, album, commet, etc.). Winamp supports
> creation of html playlist 
> from winamp playlist.
> During generation process in html file is written
> only 'artist' 
> and 'title' section of ID3v2 tag.
> In 'artist' and 'title' section, we can put
> arbitrary CSS code, which will 
> be executed when html playlist will be generated,
> and shown with default 
> web browser.
> 
> 
> 
> 
> ------[ Example
> Open 'view file info' on some mp3 file (read only
> flag on that file must 
> be removed), and edit ID3v2 tag. Put some text in
> 'artist' section (if you 
> wanna fool somebody, it is  the best to write the
> name of the artist and 
> song name in 'artist' section. After that put some
> blank space characters 
> (around 100) and . after that), and CSS code which
> will be executed 
> in 'title' section. For testing purpose, in 'title'
> section, you can put:
> -----cut here-----
> &lt;script&gt; alert ("HI!!!"); &lt;/script&gt;
> -----cut here-----
> You can put some blank space (in 'title' section)
> before CSS code too. 
> After that generate html file from playlist, and you
> will see msgbox, with 
> text HI!!! 
> 
> 
> 
> ------[ GREETZ
> Goes to Illegal Instruction Labs (Boyscout, h4z4rd,
> Sunnis, Styx), 
> www.active-security.org, finis, Fr1c, harlequin,
> st0rm, phreax,  all of 
> #hr.hackers <irc.carnet.hr>.
> Thanks to dr_cr@zy for providing me with hardware
> support, when my computer
> is on vacation :).
> Very special greetz go to |<4r0l1n4.
> I'm very sorry if I forgot someone...

This appears to be corrected in Winamp 2.80, as i was
unable to get the exploit functional.

- Chris (chris@box.sk)
http://linux.box.sk/
http://blacksun.box.sk/

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com