Simo64 posted a vulnerability to Bugtraq today, that demonstrated a pretty useful vector. It’s pretty obvious but it’s also not used that often. A TITLE tag is encapsulated with everything other than an end TITLE tag. An end title tag will allow any HTML to be rendered inside of the HEAD tag that it resides.

Simo64 pointed out this vector by popping out of the TITLE tag in the Open Guestbook software, which allowed a cross site scripting vulnerability to render. There’s also an SQL injection vector, which is actually slightly less interesting as it’s a pretty typical SQL injection. Anyway, good job, Simo64!

This entry was posted on Monday, June 26th, 2006 at 8:21 pm and is filed under XSS, Webappsec. You can leave a response as well.