[Full-Disclosure] RE: MAGIC XSS INTO THE DNS: coelacanth
dcopley at eEye.com
Wed Jun 16 19:29:52 BST 2004
> -----Original Message-----
> From: Windows NTBugtraq Mailing List
> [mailto:NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM] On Behalf Of
> http-equiv at excite.com
> Sent: Tuesday, June 15, 2004 3:00 PM
> To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
> Subject: MAGIC XSS INTO THE DNS: coelacanth
> Tuesday, June 15, 2004
> The following courtesy of 'bitlance winter' adds an entirely new
> dimension to the matter and also suggest some additional
> peculiarities at play:
> <a href='http://"><plaintext>.e-gold.com'>foo</a>
> <a href='http://"><script>alert()<%
> these will inject arbitrary html and script into the site in the
> context of the 'intranet zone', which means one no longer needs
> to go out and setup a site with the dns issue, all one needs to
> do is locate a functioning site, include their code into a
> suitable url, either direct the target via that or place an
> iframe elsewhere pointing to it.
Because the wildcarding is a bit too wild.
For instance, "http://&money.e-gold.com/ " resolves.
And, "http://&money;G-Money&OGbabyOG.e-gold.com/" resolves.
In e-gold's case, they actually take the url line and render
it variously in their dynamic html on their page.
> Still unclear how or why this can be interpreted into the site
> or through the browser.
> credit: 'bitlance winter'
> End Call
> NTBugtraq Editor's Note:
> Want to reply to the person who sent this message? This list
> is configured such that just hitting reply is going to result
> in the message coming to the list, not to the individual who
> sent the message. This was done to help reduce the number of
> Out of Office messages posters received. So if you want to
> send a reply just to the poster, you''ll have to copy their
> email address out of the message and place it in your TO: field.
Full-Disclosure is hosted and sponsored by Secunia.