| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAY16-F332F6E83C31C30CAB59FD9B9580@phx.gbl> From: bitlance_3 at hotmail.com (bitlance winter) Subject: Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML Hi, LIST. ======== subject: ======== Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML Documents ======== NOTE: ======== This bug had been provided by an unknown person on his site. This bug is widely known in Japan since August, 2004. (These news was reported.) Now his site is closed. Some engineers prevented this bug. They are maintaining Web services. Wiki, Webmail, Blog, BBS, those might be dangerous. ======== First: ======== I want to show the following first. Please checkout using IE on XPSP2. The cat is here. http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg And the cat is a script kitty. mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg You see? executing JavaScript? Ok. If you are using old IE or Windows, try this one. mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg.mhtml Confirmed? ======== Second: ======== What is happen to us? Please checkout. http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt or same file, http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt This is a test messages which demonstrate of sending e-mail in HTML format according to RFC 2557. And check out please. mhtml:http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt or same file, mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt ======== Third: ======== Then we can change Content-Transfer-Encoding: from '7bit' to 'quoted-printable'. Checkout please. http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt - ----- q2.txt ------ Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable =3C!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"=3E =3CHTML=3E =3CHEAD=3E=3CTITLE=3ETest message no. 3=3C/TITLE=3E =3C/HEAD=3E =3CBODY=3E =3CH1=3EThis is test message no. 3=3C/H1=3E =3CH2=3EHere comes the red test image:=3C/H2=3E =3CIMG SRC=3D"http://www.dsv.su.se/jpalme/mimetest/red-test-image.gif" BORDER=3D0 HEIGHT=3D32 WIDTH=3D117 ALT=3D"red test image"=3E =3CH2=3EHere comes the yellow test image:=3C/H2=3E =3CIMG SRC=3D"http://www.dsv.su.se/jpalme/mimetest/yellow-test-image.gif" BORDER=3D0 HEIGHT=3D32 WIDTH=3D152 ALT=3D"yellow test image"=3E =3CP=3EThis is the last line of this test message. =3C/BODY=3E=3C/HTML=3E - ----- q2.txt ------ Where is HTML TAG? Do you know how to sanitise? mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt The malicious code would be inserted by a malicious user, on Blog, Wiki, BBS with fileuploader ,etc. JPEG file or Gif file are also poisoned. There is possible XSS issue on Windows XPSP2 IE6 via MHTML. ======== Reference: ======== Using HTML in E-mail http://www.dsv.su.se/jpalme/ietf/mhtml.html MIME Encapsulation of Aggregate HTML Documents (MHTML) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/_cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml_.asp RFC 2045 - Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies http://www.faqs.org/rfcs/rfc2045.html =========== Sorry my bad English. Best Regards. =========== -- bitlance winter _________________________________________________________________ Don’t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Powered by blists - more mailing lists