Reappearance of a WinAmp ID3 HTML Bug

 


Summary

To allow users of WinAmp to share a list of what songs they listen to, WinAmp created a function that generates HTML versions of song playlists. However, the Generate HTML Playlist function contains a bug that allows a malicious user to insert dangerous code inside a WinAmp music file's ID3 tag (a song information tag) that is executed when generating the html playlist. The bug originally appeared in version 2.76, was corrected in 2.77 and 2.78, and reappeared in version 2.79. After 2.79, Nullsoft had to release another fixed version of the bug in WinAmp v2.80.


Application Description

NullSoft's WinAmp is a multimedia player designed mostly for playing mp3 music files. The player makes use of ID3 tags, which allow users to record information about the song, such as the artist, title, track number, etc.


Test Design

This example demonstrates the use of Regression testing. We use Regression testing to ensure that the bugs we have already encountered do not reappear in later versions of the program after they have been fixed. Regression testing is not a specified type of testing, rather it is more the awareness and implementation of past testing techniques to monitor applications for the reappearance of issues or the breaking of a working function by new code.

In this example on ID3 tags in WinAmp, we have many different input boxes and types of input that can go in those boxes. Since the Generate HTML Playlist uses the song title and artist, we will make equivalence classes based on what types of input those boxes will take. Furthermore, since those boxes both take the same types of input, we really only have to test one of the boxes.

So, for title and artist we might have a basic equivalence class that looks like this: Title/Artist = {null, average, max length}. We are going to modify that equivalence class to include HTML code, since we are generating an HTML list. It is this part of the equivalence class at which we are going to look .

This is the same test that was performed on version 2.76 of WinAmp, and 2 minor releases later, we found that NullSoft changed a piece of code that allowed the bug to appear.

Regression testing is a very necessary technique for maintaining a stable product release (one that is at least as stable as the releases before in terms of the same features). We observe the results of a regression test by directly examining the program's reaction to the tests that have previously been run before, and expect to receive the same result as we did upon a previous successful run of the test (the result we recieved once the bug was corrected).


Performing the Test

  1. Start WinAmp v2.76 and open an “.mp3” file by clicking on .
  2. Open up the ID3 tag editor by clicking either pressing Alt+3 or right-clicking on the song in the playlist window and selecting File Info.
  3. In the ID3 tag window, make sure only the ID3v2 tag is selected in the check box:

  4. In the 'Title' field, paste the following:

    <script language="JavaScript"> var message = "This is some HTML Code"; alert(message); </script>

  5. Click 'Update' to return to the main WinAmp window.
  6. Generate an HTML playlist:

  7. Repeat this same test using v2.77 or v2.78 (where this bug will not work).
  8. Repeat this same test using v2.79 (where this bug will work again).

Results/Relevance

Receiving the above message means that the HTML code executed successfully. This could be excellent feature, of course, except consider an example like this:

<script language="JavaScript"> while (true) { var message = "Your Internet Browser is now Broken"; alert(message); }</script>

This piece of code above instructs the browser to display the message as long as true equals true (which is always!). And as frustrating as something like this may be, consider if a malicious user replaced this code with code from a less protective language than JavaScript, such as VBScript or ActiveX.

This bug is extremely critical, as it could allow a user to alter or damage information on another user's computer. Regression testing allowed us to reuse the same tests to locate this older bug by testing for errors that WinAmp had in the past and with which we were already familiar.


Similar Tests/Additional Notes

Locate some older releases of WinAmp and use Domain or Function testing to locate some other bugs, then run the same tests in more recent releases of WinAmp.


Configuration Notes

Testing NullSoft's WinAmp v2.79 on:


Created 31 May 2004 for the CSTER

All images and written material ©Copyright Sam Oswald 2004

This work is licensed under the Creative Commons Attribution-ShareAlike License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/2.0/
or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305,
USA.