Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Saved XSS vulnerability in Internet Explorer
From: "MustLive" <mustlive () websecurity com ua>
Date: Wed, 17 Nov 2010 23:59:40 +0200

Hello Hans!

First, it's not a site specific hole, it's browser specific. So issue in
browser and it'll be working at any site. And I used universal PoC (suitable
for most cases). For online testing and especially for attacking purposes
you can use any working web site (e.g. google.com).

http://www.google.com/webhp?--%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

The idea of putting XSS code to the parameter (i.e. after '?') is to avoid
redirection in case if particular site (which is using in the attack) is
configured in such way. So using of any holes is not needed, just any
working page of any working site. The XSS code will appear in html file
saved to the disk. So on every particular site it's needed to use any
working page. And for hidden attack via iframe (on any web site) it's
possible to use any stably working site (such as google.com).

Second, this variant of attack is working (and so I'm using this example for
all affected browsers) in first hole in IE (as I wrote in 2007), in Google
Chrome (as I wrote in 2008), in Opera (as I wrote in 2008), in second hole
in IE (as I wrote recently). And in hole in Ad Muncher (which allows to
conduct this attack via any browser at all), which I found in 2006 and which
I wrote about in my article Local XSS (I mentioned a link to English version
of it in my advisory).

You also can read my articles Code Execution via XSS in Internet Explorer
(http://securityvulns.ru/Udocument911.html) and Cross-browser Code Execution
via XSS (http://securityvulns.ru/Udocument941.html), which I wrote in 2008
concerning this kind of vulnerabilities in browsers. How the attack can be
elevated from XSS to CE.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- From: "Hans Wolters" <j.wolters () piramide nl>
To: "MustLive" <mustlive () websecurity com ua>; <bugtraq () securityfocus com>
Sent: Wednesday, November 17, 2010 8:55 AM
Subject: RE: Saved XSS vulnerability in Internet Explorer


Hi,

Using ?-- will not work on part of the sites with a problem. A blind
Xss attack using single and double quotes do.

Best regards,

Hans

-----Original Message-----
From: MustLive [mailto:mustlive () websecurity com ua]
Sent: Sunday, November 14, 2010 6:54 PM
To: bugtraq () securityfocus com
Subject: Saved XSS vulnerability in Internet Explorer

Hello Bugtraq!

I want to warn you about Cross-Site Scripting vulnerability in Internet
Explorer. This is Post Persistent XSS (Save XSS)
(http://websecurity.com.ua/2641/).

-------------------------
Affected products:
-------------------------

Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet
Explorer 7 (7.00.5730.13), Internet Explorer 8 (8.00.6001.18702) and
previous versions.

----------
Details:
----------

This hole is similar to Cross-Site Scripting vulnerability in Internet
Explorer (http://websecurity.com.ua/1241/) - CVE-2007-4478
(http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4478). Which I
found in August 2007 and informed Microsoft, and they ignored it and
didn't
fix it in IE6, and they didn't fixed it in IE7 (and also in IE6) after
my
informing in 2008. But they silently and lamerly fixed it in IE8, as I
found
in May 2010 when checked this hole in IE8. This vulnerability is
different
from previous one in that, that the attack is going not via saving web
page,
but saving web archive (mht/mhtml file) - similarly to Cross-Site
Scripting
in Opera (http://websecurity.com.ua/2555/), which I wrote about in 2008.
All
versions of IE6, IE7 and IE8 are affected to this hole.

XSS (WASC-08):

http://site/?--><script>alert("XSS")</script>

For the attack it's needed to visit such URL and save html page as
mht/mhtml
file (Web archive). For executing of the code it's needed that file was
saved not with mht or mhtml extension, but with htm or html extension.
After
that when opening saved page in any browser the code will run. Attacking
code are saving inside of the file.

This vulnerability - it's Saved XSS and Local XSS
(http://websecurity.com.ua/4219/).

To make hidden attack an iframe can be used in code of the page:

<iframe src='http://site/?--><script>alert("XSS")</script>' height='0'
width='0'></iframe>

------------
Timeline:
------------

2010.11.12 - found vulnerability.
2010.11.12 - disclosed at my site.
2010.11.13 - informed Microsoft.

I mentioned about this vulnerability at my site
(http://websecurity.com.ua/4677/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault