Analyzing User Agent does not make filters of anyone type, being able to inject xss or HTML. POC === let us suppose that the page we visit has the navigator´s check You are sailing with Mozila Firefox.... In php, this simply is <? echo $HTTP_USER_AGENT ?> then we install any kind of soft which allows us to modify the user agent, in mozila _firefox you could use this plugin https://addons.update.mozilla.org/extensions/moreinfo.php?id=59 Example: USER AGENT: <h1>Soulblack</h1> USER AGENT:<script>alert('SoulBlack')</script> it works correctly :). The logfile of apache ; 127.0.0.1 - - [23/Jan/2006:14:54:02 +0000] "GET /favicon.ico HTTP/1.1" 404 283 "-" "<script>alert('SoulBLack')</script>" "-" the tests were made with php and apache. The bug could be in php, or in the protocol , we have not even probe in another language like asp , etc ... if the bug resides in the protocol, the model of control of user agent could be [a-z][0-9] . Any suggest or comment? POC created by Soulblack Group. www.soulblack.com.ar -- SoulBlack - Security Research http://www.soulblack.com.ar
