w3m HTML tags in the IMG ALT attribute cross-site scripting

w3m-img-alt-xss (11266)

Medium Risk

Description:

w3m is vulnerable to cross-site scripting, caused by improper filtering of HTML tags in the IMG ALT attribute within frames. A remote attacker could embed malicious script within HTML tags in the IMG ALT attribute in a frame, which would be executed in the victim's Web browser in the security context of the hosting site, once the vulnerable Web page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials or view files on a victim's computer.

Platforms Affected:

• Debian, Debian Linux 3.0
• Gentoo, Linux
• OpenPKG, OpenPKG 1.1
• OpenPKG, OpenPKG 1.2
• OpenPKG, OpenPKG CURRENT
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• RedHat, Linux 8.0
• RedHat, Linux Advanced Workstation 2.1 Itanium
• w3m, w3m prior to 0.3.2.2

Remedy:

Upgrade to the latest version of w3m (0.3.2.2 or later), available from the SourceForge.net Web site. See References.

For Red Hat Linux:
Upgrade to the latest w3m package, as listed below. Refer to RHSA-2003:044-20 for more information. See References.

Red Hat 7.2: w3m-0.3.1-4.7.2 or later
Red Hat 7.3: w3m-0.3.1-4.7x.1 or later
Red Hat 8.0: w3m-0.3.1-6 or later

For Debian Linux 3.0 (woody) containing the w3mmee package:
Upgrade to the latest w3mmee package (0.3.p23.3-1.5 or later), as listed in DSA-249-1. See References.

For Debian Linux 3.0 (woody) containing the w3mmee-ssl package:
Upgrade to the latest w3mmee-ssl package (0.3.p23.3-1.5 or later), as listed in DSA-250-1. See References.

For Debian Linux 3.0 (woody) containing the w3m package:
Upgrade to the latest w3m package (0.3-2.4or later), as listed in DSA-251-1. See References.

For Gentoo Linux:
Upgrade to the latest version of w3m (0.3.2.2 or later), as listed in Gentoo Linux Security Announcement 200302-07. See References.

For OpenPKG:
Upgrade to the latest w3m package as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2003.009 for more information. See References.

OpenPKG CURRENT: 0.3.2.2-20021205 or later
OpenPKG 1.1: 0.3.1-1.1.1 or later

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• Gentoo Linux Security Announcement 200302-07, w3m -- missing HTML quoting at http://www.linuxsecurity.com/content/view/104604/104/.
• SourceForge.net, Project: w3m: Release Notes: w3m-0.3.2.2 at http://sourceforge.net/project/shownotes.php?release_id=126233 .
• BID-6794: W3M Image Attribute Cross Site Scripting Vulnerability
• CVE-2002-1348: w3m before 0.3.2.2 does not properly escape HTML tags in the ALT attribute of an IMG tag, which could allow remote attackers to access files or cookies.
• DSA-249: w3mmee -- missing HTML quoting
• DSA-250: w3mmee-ssl -- missing HTML quoting
• DSA-251: w3m -- missing HTML quoting
• OpenPKG-SA-2003.009: w3m
• RHSA-2003-044: Updated w3m packages fix cross-site scripting issues
• RHSA-2003-045: w3m security update

Reported:

Dec 04, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page