lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Oct 2006 22:36:20 +1000 From: Paul Szabo <psz@...hs.usyd.edu.au> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053]) Eiji James Yoshida wrote in http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049784.html : > If 'Encoding' is set to 'Auto Select', and Internet Explorer finds a UTF-7 > string in the response's body, it will set the charset encoding to UTF-7 > automatically ... > Proof of concept: > http://MaliciousSite/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-... I know that Apache servers return The requested URL /xyz was not found on this server. when fetching http://apache.svr/xyz . Trouble is that IE shows a "custom" error message, ignoring the error body. Pondering, see that http://en.wikipedia.org/wiki/HTTP_404 says: > ... Internet Explorer will not display these pages, however, unless they > are larger than 512 bytes. ... This provides UXSS (Universal Cross-Site Scripting): http://apache.svr/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/ZZZ... (with a couple of hundred Zs) will do what we want. Works for https also: https://apache.svr/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/ZZZ... Can steal any Apache server (http or https) cookies. I do not have easy access to ISS servers to test whether similar attacks would work there. Will Apache fix (carefully escape) the error message? Will MS fix IE to not be so over-friendly? In the meantime, do not use IE to do anything "private" like banking... Cheers, Paul Szabo psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia
Powered by blists - more mailing lists