lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 8 Aug 2011 08:23:53 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: CnCxzSec衰仔 <cncxzhack@...il.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: IE handling the HTML notes incorrectly may
 lead to XSS attacks

I think it's worth to note that MSIE expects an *expression* in the
conditional (it's a feature).
Hence even if you disable direct XSS, there still would probably be
more ways an *expression* could be used to write HTML code.

As such, I don't think they should be "fixing" this (since it is
intended), but rather warn developers about it's existence.

On the other hand, if developers are writing unfiltered HTML inside
this conditional, I think there are worse issues than this.
I've always believed in the philosophy of making browsers work as
expected instead of expecting them to comply and fix my issues.
Especially if the browser in question is Internet Explorer ;-).

Cheers,
Chris.



On Mon, Aug 8, 2011 at 5:59 AM, CnCxzSec衰仔 <cncxzhack@...il.com> wrote:
> this is a normal use, but <!--[if<img/onerror=alert(1) src=]> is an unnormal
> use. IE should regard this as an HTML comment instead of a downlevel-hidden
> comment, so the HTML tags inside the COMMENT should not be evaled.
> On Mon, Aug 8, 2011 at 11:30 AM, Andrew Farmer <andfarm@...il.com> wrote:
>>
>> On 2011-08-07, at 19:53, CnCxzSec衰仔 wrote:
>> > hi all, here is an interesting trick to perform an xss attack with IE
>> > browsers.
>> >
>> > some rich text applications such as email and blog, may provide HTML
>> > uses
>> > but have a policy to block the on-event execution to prevent the XSS
>> > attack.
>> > However, this applications may also allow the HTML notes uses,for
>> > instance
>> > "<!--  -->"
>>
>> Any such applications are likely to also be vulnerable to a simpler attack
>> based on "downlevel-hidden" conditional comments:
>>
>> <!--[if IE]>
>> <script>anything you want can go here, presumably</script>
>> <![endif]-->
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ