mailing list archives
RE: Saved XSS vulnerability in Internet Explorer
From: "Hans Wolters" <j.wolters () piramide nl>
Date: Wed, 17 Nov 2010 07:55:08 +0100
Using ?-- will not work on part of the sites with a problem. A blind
Xss attack using single and double quotes do.
From: MustLive [mailto:mustlive () websecurity com ua]
Sent: Sunday, November 14, 2010 6:54 PM
To: bugtraq () securityfocus com
Subject: Saved XSS vulnerability in Internet Explorer
I want to warn you about Cross-Site Scripting vulnerability in Internet
Explorer. This is Post Persistent XSS (Save XSS)
Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet
Explorer 7 (7.00.5730.13), Internet Explorer 8 (8.00.6001.18702) and
This hole is similar to Cross-Site Scripting vulnerability in Internet
Explorer (http://websecurity.com.ua/1241/) - CVE-2007-4478
(http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4478). Which I
found in August 2007 and informed Microsoft, and they ignored it and
fix it in IE6, and they didn't fixed it in IE7 (and also in IE6) after
informing in 2008. But they silently and lamerly fixed it in IE8, as I
in May 2010 when checked this hole in IE8. This vulnerability is
from previous one in that, that the attack is going not via saving web
but saving web archive (mht/mhtml file) - similarly to Cross-Site
in Opera (http://websecurity.com.ua/2555/), which I wrote about in 2008.
versions of IE6, IE7 and IE8 are affected to this hole.
For the attack it's needed to visit such URL and save html page as
file (Web archive). For executing of the code it's needed that file was
saved not with mht or mhtml extension, but with htm or html extension.
that when opening saved page in any browser the code will run. Attacking
code are saving inside of the file.
This vulnerability - it's Saved XSS and Local XSS
To make hidden attack an iframe can be used in code of the page:
<iframe src='http://site/?--><script>alert("XSS")</script>' height='0'
2010.11.12 - found vulnerability.
2010.11.12 - disclosed at my site.
2010.11.13 - informed Microsoft.
I mentioned about this vulnerability at my site
Best wishes & regards,
Administrator of Websecurity web site