[Empeg-general] Re: HTML code in BBS post

Andy Norman nospam at focus.demon.co.uk
Wed, 20 Mar 2002 17:38:00 GMT


Are there really people who are stupid enough to execute untrusted scripts while holding admin privileges?

You clearly haven't followed what I am talking about. I am not talking about an admin going off and deliberately running some untrusted script.

I am talking about them unknowingly running a bit of hidden script via the normal process of using the browser based internet app (in this case a bbs). By inserting a cleverly crafted bit of script into a post to the bbs, if the bbs doesn't successfully strip this script, this bit of script can get run when the admin views the post on the bbs. The admin would not even need to know that there was any script there.

I'm getting bored this this. It is possible to trick some webserver-browser based apps into accepting script that later gets executed on other people's browsers without their knowledge or interaction. It is possible for this script to then interact with the webserver application in question and carry out most actions that the user could, as that user. It is non-trivial to strip out all possible script from HTML while leaving the HTML intact.

I am not saying any of this is likely to happen on this BBS and it requires a very good knowledge of how the browsers and the web app in question works, but it is all perfectly possible. I have done it before on systems I have been auditing for security issues.