Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])
From: Lise Moorveld <lise_moorveld () yahoo com>
Date: Tue, 3 Oct 2006 02:25:04 -0700 (PDT)

I've been testing around a bit with IE 6 and Apache
and I have found that IE behaves a bit strangely...

If the webserver sets the charset in the response, IE
will not interpret the malicious string as being UTF-7
encoded, regardless of the 'auto-select' option in IE.
However, if I enable 'auto-select' *while* viewing the
error page with the malicious string, the XSS works!

For further testing I created a php-script that sets
the "Content-Type" header without setting the charset.
If 'auto-select' is disabled, XSS doesn't work. If
'auto-select' is enabled, XSS does work.

So it seems that, even though the webserver sets the
charset in the response, IE will do its automatic
encoding determination trick anyway, if you enable
'auto-select' while viewing the webpage. 

This means that, with a little additional social
engineering, UXSS is possible.

proof of concept:

http://www.apache.srv/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------IF_THIS_PAGE_DOESN'T_DISPLAY_CORRECTLY______ENABLE_'AUTO-SELECT'_IN_THE_VIEW->ENCODING_MENU_OF_YOUR_BROWSER------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

;)

--- Paul Szabo <psz () maths usyd edu au> wrote:

Seems that I was wrong and Brian Eaton
<eaton.lists () gmail com> was right:
default apache installations seem to return an
explicit charset in their
error message. (Now I cannot explain how I convinced
myself otherwise.)
Then there is no Universal XSS against default
Apache webservers...

Cheers,

Paul Szabo   psz () maths usyd edu au  
http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of
Sydney    Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter:

http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
http://secunia.com/



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault