xss in javascript nested CDATA section

RESOLVED INVALID

Status

()

--
critical
RESOLVED INVALID
9 years ago
9 years ago

People

(Reporter: a.schnapp, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.1.7) Gecko/20100106 Ubuntu/9.10 (karmic) Firefox/3.5.7
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.1.7) Gecko/20100106 Ubuntu/9.10 (karmic) Firefox/3.5.7

When you use a CDATA section nested in a JavaScript Tag the characters '<' and '>' are interpreted as html.

Some sides makes the CDATA think in JavaScript to pretend user input for beeing interpreted, see for example the howto of this side: http://www.w3schools.com/xmL/xml_cdata.asp

The core of the current version of typo3 is vulnerable with firefox because of this issue.I have tried my example below in googles chromium. This browser dont interpreted the tags inside the CDATA. For IE i dont know, I dont use any MS products.

Reproducible: Always

Steps to Reproduce:
Put the following code in some HTML side and take a look what happen (it will work without the JS-Comments too:

<script type="text/javascript">
	/*<![CDATA[*/
	// update should take a dyn parameter which allows characters '<' and '>' because there should not be evil in a CDATA section 
	update('</script><script>alert('here i can hijack a session id for example => proof of concept successfull')</script>');
	/*]]>*/
</script>

<script>
// function is unneccesary for proof of concept
function update(t)  {

}
Actual Results:  
Getting an alert box with the text: here i can hijack a session id for example => proof of concept successfull

Expected Results:  
DON'T interprete HTML Tags in CDATA sections. Even if the html should not nested CDATA in JS (i dont know if this is a good idea, but actually this nested CDATA stuff is used in many sides)

I think the side should output nothing. The Script Tag in the CDATA section should be a normal JS String parameter of the function update. the function dont print anyting on screen.

I think it is critical because u can hijack session ids and make some other xss stuff in all sides which uses CDATA in JS. For example the typo3-core has a function which is based on this.
What does the HTML 5 spec say about how this should be parsed?
I suggest resolving this as INVALID.

The w3schools example is about XML. This bug report is about HTML. XML parsing rules don't apply to HTML.

Per HTML5, there's nothing special about the syntax "<![CDATA[" inside an HTML script. (Per HTML5, that syntax is special in an SVG script, but that's another story.) Therefore, the example given parses per HTML5 into a script element whose content is "
    /*<![CDATA[*/
    // update should take a dyn parameter which allows characters '<' and '>'
because there should not be evil in a CDATA section 
    update('", another script element whose content is "alert('here i can hijack a session id for example
=> proof of concept successfull')" and "    /*]]>*/
" as a trailing text node.

If you echo arbitrary strings into string literals in inline scripts in text/html, the safe course of action (in legacy browsers and in HTML5-compliant browsers) is to escape < as \u003C and not to try to use <![CDATA[ ... ]]> or <!-- ... --> as escapes. Escaping < as \u003C protects both against the injection of the string "</script>" and against the injection of the string "<!--".
(Reporter)

Comment 3

9 years ago
Hi i looked at the typo3 side(there it is be fixed) where i have found this bug the first time!

There is a xml header with a xhtml doctype and the JS-Tags in the CDATA section is interpreted. Sorry i don't have looked at the header before i notify the bug and i don't have known that CDATA is XML specific. 

I think tags in a CDATA sections of a xhtml file should not be interpreted  



this was the originial xhtml header of exploitable side...

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html
     PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

I've uploaded an example xhtml file, which popup an alert box with the title of a page. the JS is nested in an CDATA section...

Filename is: nestedJSInCDATAInXHTML.html
(Reporter)

Comment 4

9 years ago
Created attachment 425427 [details]
This is an example of a nested JS section in a CDATA field of a xhtml document. And it is interpreted!
(In reply to comment #3)
> I think tags in a CDATA sections of a xhtml file should not be interpreted  

The choice of parser depends on the content type. If you use an XHTML doctype but serve the content as text/html, you get the text/html parser. If you want the XML parser, you need to serve the content as application/xhtml+xml.
(Reporter)

Comment 6

9 years ago
yes its right the choice of parser depends on the content type. I suggest to declare this ticket as invalid too.

but i thing its confusing for web-developers. It's valid to use content type text/html for a xhtml version 1 document, but its not valid to use some xml suff in there.

Additionally the decision of the final content type takes the admin of the webserver and not the developer who has thought he's writing a native xml document. Surely the developer can take an xhtml version higher then 1, but i think many developers think that there xhtml file verion 1 must be sended from the webserver/admin as xml.

But this is not a developing issue of the firefox-browser, so i think the bug-report should be invalid!

BTW: On this platform the automatic choise for the content type of my uploaded xhtml file (see coment 4) is text/html, as in nearly every system (webserver included).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
Group: core-security
You need to log in before you can comment on or make changes to this bug.