Pngfix

I was meaning to write about this for a while because it just shows how little people care about what they include on their web site. I’m not saying I’m perfect I’ve included vulnerable JavaScript on my own sites but I have at least noticed when I find a vulnerability and fix it or remove it. This one is so funny because it’s been around for years and some sites probably still use it although the conditional comment makes it work on IE6 only. I wonder did anyone else notice or bother to check the code?

The alarm bells should at least have been ringing when you copied the JavaScript from homepage.ntlworld.com, I mean that domain doesn’t fill you with confidence does it? :) If you look at the code you’ll notice a loop through the images and a check for a png extension and then we have this little beauty:


var imgID = (img.id) ? "id='" + img.id + "' " : ""

Uh oh it looks like we are building some html there :)


img.outerHTML = strNewHTML

Then they write this new string they build and directly assign it to outerHTML. There are multiple attributes that they allow in this way.

We are then left with a pretty nice vector that would bypass any html filter:

<img src=1.png id="'&gt;&lt;img src=1 onerror=alert(/png_fixed!/)&gt;">

Nice png fix! Notice that because it’s in an attribute context the browser would decode any entities for us too making it work. You can see the code in all it’s glory here http://homepage.ntlworld.com/bobosola/pngfix.js

Comments are closed :( too much spam. If you want to contact me about any article please email or tweet me.