|
Full Disclosure
mailing list archives
Re: IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])
From: Lise Moorveld <lise_moorveld () yahoo com>
Date: Tue, 3 Oct 2006 02:25:04 -0700 (PDT)
I've been testing around a bit with IE 6 and Apache
and I have found that IE behaves a bit strangely...
If the webserver sets the charset in the response, IE
will not interpret the malicious string as being UTF-7
encoded, regardless of the 'auto-select' option in IE.
However, if I enable 'auto-select' *while* viewing the
error page with the malicious string, the XSS works!
For further testing I created a php-script that sets
the "Content-Type" header without setting the charset.
If 'auto-select' is disabled, XSS doesn't work. If
'auto-select' is enabled, XSS does work.
So it seems that, even though the webserver sets the
charset in the response, IE will do its automatic
encoding determination trick anyway, if you enable
'auto-select' while viewing the webpage.
This means that, with a little additional social
engineering, UXSS is possible.
proof of concept:
http://www.apache.srv/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------IF_THIS_PAGE_DOESN'T_DISPLAY_CORRECTLY______ENABLE_'AUTO-SELECT'_IN_THE_VIEW->ENCODING_MENU_OF_YOUR_BROWSER------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
;)
--- Paul Szabo <psz () maths usyd edu au> wrote:
Seems that I was wrong and Brian Eaton
<eaton.lists () gmail com> was right:
default apache installations seem to return an
explicit charset in their
error message. (Now I cannot explain how I convinced
myself otherwise.)
Then there is no Universal XSS against default
Apache webservers...
Cheers,
Paul Szabo psz () maths usyd edu au
http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of
Sydney Australia
_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
http://secunia.com/
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- Re: IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053]), (continued)
|
Intro
