Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS with param or embed tags?
Posted by: yawnmoth
Date: August 28, 2006 03:07PM

Say I had the following:

<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=5,0,0,0" width="{WIDTH}" height="{HEIGHT}">
<param name="allowScriptAccess" value="never" />
<param name="movie" value="{URL}" />
<param name="loop" value="{LOOP}" />
<param name="quality" value="high" />
<param name="scale" value="noborder" />
<param name="wmode" value="transparent" />
<param name="bgcolor" value="#000000" />
<embed allowScriptAccess="never" src="{URL}" loop="{LOOP}" quality="high" scale="noborder" wmode="transparent" bgcolor="#000000" width="{WIDTH}" height="{HEIGHT}" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash"></embed>
</object>

Although all occurances of < and > in {URL} are escaped, " isn't. So basically, we can add parameters to two existing tags (param or embed), but we can't add whole new tags. Does a bonafide XSS vulnerability exist here?

Javascript event handlers didn't seem to work with these tags when I tested them nor did the style parameter (which I'd use to either do a -moz-binding or a IE-only "expression")...



Edited 1 time(s). Last edit at 08/28/2006 03:07PM by yawnmoth.

Options: ReplyQuote
Re: XSS with param or embed tags?
Posted by: rsnake
Date: August 28, 2006 03:21PM

If you can modify the first height tag in the object tag try putting in an IE only style tag: {HEIGHT} = " STYLE="background-image: url(javascript:alert('XSS'))

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS with param or embed tags?
Posted by: yawnmoth
Date: August 28, 2006 03:53PM

The {HEIGHT} and {WIDTH} things are actually sorta validated (ie. symbols can't be included) before being inserted into the HTML. The only thing that isn't is the {URL} thing.

Also, IE7 doesn't seem to support the javascript pseudo protocol being used in the url thing, anymore..

Options: ReplyQuote
Re: XSS with param or embed tags?
Posted by: rsnake
Date: August 28, 2006 07:30PM

Hmm... then you might be out of luck.

But regarding IE7.0 that's correct... I spoke with the IE developers a few times about that and they went back and forth on that on if it was a bug or not, then they decided it was a security enhancement. Either way, it will shut down a number of XSS vectors in the future for that browser.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.