[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200306232039.h5NKdIo4015103@linus.mitre.org>
Date: Mon, 23 Jun 2003 16:39:18 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: Re: Cross-Site Scripting in Unparsable XML Files (GM#013-IE)
Matt Moore said:
>I also reported this to Microsoft - sometime around May or June
>2002... I copied Steve Christey at Mitre on a couple of the emails
I can confirm that on July 19, 2002, Matt CC'ed me on an email to the
Microsoft Security Response Center in which Matt asked about when his
reported issue would be fixed. Included in that email was a trail of
other messages dating back to his original notification of June 25,
2002, with a subject of "Potential Cross Site Scripting Flaw in
Internet Explorer XML Parser".
Matt's original email includes the following:
... it's possible to perform XSS attacks against IE clients of a web
server that has a malformed XML document residing on it.
... The XML parser in IE should sanitise any resource names it
includes in it's error messages. It appears that various [sic] of
the IE XML parser error pages are vulnerable to this.
>this may already have a CAN entry.
For disclosures in which the vendor actively uses CVE identifiers,
such as Microsoft, our general approach is to encourage the researcher
to obtain a CVE name through the vendor. This reduces the risk of
accidental duplication and errors in assigning CVE names, e.g. if
multiple researchers find the same issue, or if researchers find the
"symptoms" of a larger problem.
We do follow the "30-day" disclosure guideline and provide a CAN to
the researcher if they want to publicize an issue after 30 days, but
in this case Matt did not release, so a CAN was not assigned until
this issue was publicized by GreyMagic (CAN-2003-0446).
Steve Christey
CVE Editor
Powered by blists - more mailing lists