full-disclosure-uk November 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Saved XSS vulnerabilit

Re: [Full-disclosure] Saved XSS vulnerability in Internet Explorer

From: Christian Sciberras <uuf6429_at_nospam>
Date: Sun Nov 14 2010 - 20:20:19 GMT
To: Zach C <fxchip@gmail.com>

...rename it and run it again.

If MustLive says so, it must be realistic...

On Sun, Nov 14, 2010 at 9:14 PM, Zach C <fxchip@gmail.com> wrote:

> But it requires that the user/potential victim go to the URL and save it,
> you say? That doesn't quite seem realistic at all in terms of an attack...
>
> On Nov 14, 2010, at 9:56 AM, "MustLive" <mustlive@websecurity.com.ua>
> wrote:
>
> > Hello Full-Disclosure!
> >
> > I want to warn you about Cross-Site Scripting vulnerability in Internet
> > Explorer. This is Post Persistent XSS (Save XSS)
> > (http://websecurity.com.ua/2641/).
> >
> > -------------------------
> > Affected products:
> > -------------------------
> >
> > Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet
> > Explorer 7 (7.00.5730.13), Internet Explorer 8 (8.00.6001.18702) and
> > previous versions.
> >
> > ----------
> > Details:
> > ----------
> >
> > This hole is similar to Cross-Site Scripting vulnerability in Internet
> > Explorer (http://websecurity.com.ua/1241/) - CVE-2007-4478
> > (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4478). Which I
> > found in August 2007 and informed Microsoft, and they ignored it and
> didn't
> > fix it in IE6, and they didn't fixed it in IE7 (and also in IE6) after my
> > informing in 2008. But they silently and lamerly fixed it in IE8, as I
> found
> > in May 2010 when checked this hole in IE8. This vulnerability is
> different
> > from previous one in that, that the attack is going not via saving web
> page,
> > but saving web archive (mht/mhtml file) - similarly to Cross-Site
> Scripting
> > in Opera (http://websecurity.com.ua/2555/), which I wrote about in 2008.
> All
> > versions of IE6, IE7 and IE8 are affected to this hole.
> >
> > XSS (WASC-08):
> >
> > http://site/?--><script>alert("XSS")</script>
> >
> > For the attack it's needed to visit such URL and save html page as
> mht/mhtml
> > file (Web archive). For executing of the code it's needed that file was
> > saved not with mht or mhtml extension, but with htm or html extension.
> After
> > that when opening saved page in any browser the code will run. Attacking
> > code are saving inside of the file.
> >
> > This vulnerability - it's Saved XSS and Local XSS
> > (http://websecurity.com.ua/4219/).
> >
> > To make hidden attack an iframe can be used in code of the page:
> >
> > <iframe src='http://site/?--><script>alert("XSS")</script>' height='0'
> > width='0'></iframe>
> >
> > ------------
> > Timeline:
> > ------------
> >
> > 2010.11.12 - found vulnerability.
> > 2010.11.12 - disclosed at my site.
> > 2010.11.13 - informed Microsoft.
> >
> > I mentioned about this vulnerability at my site
> > (http://websecurity.com.ua/4677/).
> >
> > Best wishes & regards,
> > MustLive
> > Administrator of Websecurity web site
> > http://websecurity.com.ua
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/