Date: Sat, 5 Jul 2003 22:32:33 +0200
From: "Marek Blahus" <marek@...hus.cz>
To: <bugtraq@...urityfocus.com>
Subject: Re: Script Injection to Custom HTTP Errors in Local Zone (GM#014-IE)


Here are some comments on the MSIE custom HTTP errors script injection
vulnerability posted by GreyMagic back on June 17th:

I had been playing with the custom HTTP errors as well, it's some two years
ago, but it still works pretty much the same. Here is my version of the URL
I figured out that time. It is similar to that of GreyMagic, but mine does
not show the JavaScript source in the text of the page and allows you insert
any innocent looking arbitrary text instead. It makes use of the //-style
comments instead of /**/ comments to protect that text from being
interpreted:

res://shdoclc.dll/http_404.htm#javascript:alert(location.href);//://clickme/

Because of the "security precaution" that Microsoft implemented you are not
allowed to use the often essential apostrophe as a part of the injected
code. Fortunately, there is this nice work around:

res://shdoclc.dll/http_404.htm#javascript:alert(String.fromCharCode(72,101,1
08,108,111));//://clickme/

And if you must use some of the other forbidden characters or character
combinations that would break the consistence of the specially crafted URL,
feel free to enclose all the commands in one big eval(String.fromCharCode())
and get rid of the problems.

You can force the user click on the link by selecting a proper text for it
and displaying the error message in an IFRAME of proper dimensions,
clipping, etc., which should make the link look unrecognizable from the
other links on the page.

Regards,
Marek Blahus <security@...hus.cz>

Powered by blists - more mailing lists