lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201107210714.p6L7EYNG027652@sf01web1.securityfocus.com>
Date: Thu, 21 Jul 2011 07:14:34 GMT
From: adic@...ibm.com
To: bugtraq@...urityfocus.com
Subject: Microsoft Internet Explorer 'toStaticHTML' HTML Sanitizing
 Information Disclosure

Name: Microsoft Internet Explorer 'toStaticHTML' HTML Sanitizing Information Disclosure Vulnerability
Author: Adi Cohen of IBM Rational Application Security (adic@...ibm.com)
Date: June 14, 2011
Risk: Medium
CVE: CVE-2011-1252


Introduction
-------------
The JavaScript function toStaticHTML, which is found in Internet Explorer 8 and Internet Explorer 9, is used to sanitize HTML fragments from dynamic and potentially malicious content.
If an attacker can manage to pass malicious code through this function, s/he may be able to perform HTML injection based attacks (such as XSS).
 
Vulnerability
-------------
An attacker can create a specially formed CSS that after passing through the toStaticHTML function will contain an expression that will trigger a JavaScript call.

The following JavaScript code demonstrates the vulnerability:

<script>document.write(toStaticHTML("<style>div{color:rgb(0,0,0)&a=expression(alert(1))}</style>Adi Cohen"))</script>	

This code bypasses the filter engine by taking advantage of the following facts:
1.	The filtering engine allows the string "expression(" to exist in "non-dangerous" locations within the CSS
2.	The filtering engine changes special characters (such as & , < , >) to their HTML encoded equivalents (&amp; , &gt; , &lt;), which all end with a semicolon

An attacker can use the semi-colon of the HTML encoded characters to terminate a CSS sentence and start a new one without the filtering engine being aware of it, thereby breaking the state machine.

Impact
------
Any application that relies on the function toStaticHTML to sanitize user supplied data is probably vulnerable to XSS.

References
----------
http://www.securityfocus.com/bid/48199
http://support.avaya.com/css/P8/documents/100141412
http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ