[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <00b001c334e3$d3513140$a300a8c0@spidynamics.com>
Date: Tue, 17 Jun 2003 11:19:20 -0400
From: "Kevin Spett" <kspett@...dynamics.com>
To: "jelmer" <kuper237@...net.nl>,
"GreyMagic Software" <security@...ymagic.com>,
<full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com>
Subject: Re: Cross-Site Scripting in Unparsable XML Files (GM#013-IE)
> <object type="application/xml" data="http://www.yahoo.com" width="500"
> height="500">
> </object>
This produces a warning in IE6 before it does anything with it.
Kevin Spett
SPI Labs
http://www.spidynamics.com
> Generaly html files are not well formed xml so it shouldnt be difficult to
> get this to work on just about any site
>
> --jelmer
>
>
> ----- Original Message -----
> From: "GreyMagic Software" <security@...ymagic.com>
> To: <full-disclosure@...ts.netsys.com>
> Sent: Tuesday, June 17, 2003 12:09 PM
> Subject: [Full-Disclosure] Cross-Site Scripting in Unparsable XML Files
> (GM#013-IE)
>
>
> > GreyMagic Security Advisory GM#013-IE
> > =====================================
> >
> > By GreyMagic Software, Israel.
> > 17 Jun 2003.
> >
> > Available in HTML format at http://security.greymagic.com/adv/gm013-ie/.
> >
> > Topic: Cross-Site Scripting in Unparsable XML Files.
> >
> > Discovery date: 18 Feb 2003.
> >
> > Affected applications:
> > ======================
> >
> > Microsoft Internet Explorer 5.5 and 6.0.
> >
> > Note that any other application that uses Internet Explorer's engine
> > (WebBrowser control) is affected as well (AOL Browser, MSN Explorer,
> etc.).
> >
> >
> > Introduction:
> > =============
> >
> > Internet Explorer automatically attempts to parse any XML file requested
> > individually by the browser. When the parsing process is successful, a
> > dynamic tree of the various XML elements is presented. However, when a
> > parsing error occurs Internet Explorer displays the parse error along
with
> > the URL of the requested XML file.
> >
> >
> > Discussion:
> > ===========
> >
> > We have found that in some cases the displayed URL is not filtered
> > appropriately, and may cause HTML that was passed in the querystring of
> the
> > URL to be rendered by the browser. This creates a classic cross-site
> > scripting attack in almost any XML file that MSXML fails to read.
> > Practically, this means that leaving XML files on your server that can't
> be
> > parsed correctly by Internet Explorer and MSXML is exposing the site to
a
> > global Cross-Site Scripting attack.
> >
> > We have been able to reproduce this problem in various setups, but we
> > couldn't pinpoint the vulnerable component reliably enough. It is most
> > likely an MSXML issue, and not a flaw in Internet Explorer itself.
> >
> >
> > Exploit:
> > ========
> >
> > This sample shows the basic URL for injecting content:
> >
> >
>
http://host.with.unparsable.xml.file/flaw.xml?<script>alert(document.cookie)
> > </script>
> >
> >
> > Demonstration:
> > ==============
> >
> > We put together a simple proof of concept demonstration, which can be
> found
> > at http://security.greymagic.com/adv/gm013-ie/.
> >
> >
> > Solution:
> > =========
> >
> > Microsoft was notified on 20-Feb-2003. They reported that they were able
> to
> > reproduce this flaw on IE6 Gold, and no other version. Our research
showed
> > different, yet inconsistent results (see "Tested on" section for
details).
> >
> >
> > Tested on:
> > ==========
> >
> > IE5.5 NT4.
> > IE6 Win98.
> > IE6 Win2000.
> >
> >
> > Disclaimer:
> > ===========
> >
> > The information in this advisory and any of its demonstrations is
provided
> > "as is" without warranty of any kind.
> >
> > GreyMagic Software is not liable for any direct or indirect damages
caused
> > as a result of using the information or demonstrations provided in any
> part
> > of this advisory.
> >
> >
> > Feedback:
> > =========
> >
> > Please mail any questions or comments to security@...ymagic.com.
> >
> > - Copyright © 2003 GreyMagic Software.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists