Center for Software Testing Education & Research

WinAmp ID3 HTML Bug

Summary

To allow users of WinAmp to share a list of what songs they listen to, WinAmp created a function that generates HTML versions of song playlists. However, the Generate HTML Playlist function contains a bug that allows a malicious user to insert dangerous code inside a WinAmp music file's ID3 tag (a song information tag) that is executed when generating the html playlist.

Application Description

NullSoft's WinAmp is a multimedia player designed mostly for playing MP3 music files. The player makes use of ID3 tags, which allow users to record information about the song, such as the artist, title, track number, etc.

Test Design

This example demonstrates the use of Domain testing. In Domain testing, we are evaluating a function's acceptance of input by choosing representative data to enter into the data fields.

In this presentation on ID3 tags, we have many different input boxes and types of input that can go in those boxes. Since the Generate HTML Playlist uses the song title and artist, we will make equivalence classes based on what types of input those boxes will take. Furthermore, since those boxes both take the same types of input, we really only have to test one of the boxes.

So, for title and artist we might have a basic equivalence class that looks like this: Title/Artist = {null, average, max length}. We are going to modify that equivalence class to include HTML code, since we are generating an HTML list. It is this part of the equivalence class that we are going to look at.

Domain testing is a powerful testing technique for quickly finding common faults with input handling. Rather than test thousands (or millions) of inputs, we test representatives to save time and maintain efficiency. We observe the results of a domain test by directly examining the program's reaction to the input.

Performing the Test

1. Open WinAmp and open an “.mp3” file by clicking on .
2. Open up the ID3 tag editor by either pressing Alt+3 or right-clicking on the song in the playlist window and selecting File Info.
3. In the ID3 tag window, make sure only the ID3v2 tag is selected in the check box:
   

   

4. In title, paste the following:
   

   <script language="JavaScript"> var message = "This is some HTML Code"; alert(message); </script>

5. Click 'Update' to return to the main WinAmp window.
6. Generate an HTML playlist:
   

   

Results/Relevance

Receiving the above message means that the HTML code executed successfully. This could be excellent feature, of course, except consider an example like this:

<script language="JavaScript"> while (true) { var message = "Your Internet Browser is now Broken"; alert(message); }</script>

This piece of code above instructs the browser to display the message as long as true equals true (which is always!). And as frustrating as something like this may be, consider if a malicious user replaced this code with code from a less protective language than JavaScrip, such as VBScript or ActiveX.

Similarly, more domain testing of these inputs will find that whitespace can be entered into the title and artist boxes. This means that we could create the above code in those boxes, and then move them out of view by inserting hundreds of white spaces. The picture of WinAmp at the very top of this page was actually playing a file that had just that done to it.

Here where you see "DJ Llama Test" and "...0:05", the "..." actually means that there is more to the title and artist tags that cannot be seen. It should actually read:

DJ Llama Test_______________________________________________________________________________<Script language="JavaScript"> while (true) { var message = "Your Internet Browser is now Broken"; alert(message); }</script>

The underscores above represent how much whitespace was entered between the artist and the code, more than enough to make another user unaware that the code is added onto the end.

This bug is extremely critical, as it could allow a user to alter or damage information on another user's computer. Domain testing allowed us to find this bug by testing what WinAmp allowed to be input by observing what WinAmp created for output.

Similar Tests/Additional Notes

This error with the ID3v2 tags in WinAmp v2.76 also occurred in v2.79. The bug was found in v2.76 and corrected for v2.77 (with the fix carrying over through v2.78). However, because of some changes made in v2.79, the error returned. It has since been corrected for all later versions of WinAmp.

Configuration Notes

Testing NullSoft's WinAmp v2.76 on:

• a Dell OptiPlex GX240, with
• Microsoft WindowsXP, SP1
• 256 MB SDRAM
• ATI Rage 128 Pro Ultra
• Intel Pentium IV processor, 1.69 GHz
• Additional Software Requirements:
  • Mozilla's FireFox Internet Browser v0.8, or
  • Microsoft's Internet Explorer Internet Browser v6.0

Created 31 May 2004 for the CSTER

All images and written material ©Copyright Sam Oswald 2004

This work is licensed under the Creative Commons Attribution-ShareAlike License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/2.0/
or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305,
USA.