lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: Possible XSS issue on Windows XPSP2 IE6 via
	MIME Encapsulation of Aggregate HTML

Dear bitlance winter,

Using  MHTML  to  bypass  content  filtering  for scripting was at least
reported  here  by  offtopic as well as few more tricks. You may want to
read this:

offtopic, 3APA3A. Bypassing client application protection techniques
http://www.security.nnov.ru/advisories/bypassing.asp

and this

3APA3A. Bypassing content filtering whitepaper
http://www.security.nnov.ru/advisories/content.asp

--Monday, February 28, 2005, 6:11:31 PM, you wrote to full-disclosure@...ts.netsys.com:

bw> Hi, LIST.

bw> ========
bw> subject:
bw> ========
bw> Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate
bw> HTML Documents

bw> ========
bw> NOTE:
bw> ========
bw> This bug had been provided by an unknown person on his site.
bw> This bug is widely known in Japan since August, 2004.
bw> (These news was reported.)
bw> Now his site is closed.
bw> Some engineers prevented this bug. They are maintaining Web services.
bw> Wiki, Webmail, Blog, BBS, those might be dangerous.

bw> ========
bw> First:
bw> ========

bw> I want to show the following first. Please checkout using IE on XPSP2.

bw> The cat is here.
bw> http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg

bw> And the cat is a script kitty.
bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg

bw> You see? executing JavaScript? Ok.
bw> If you are using old IE or Windows, try this one.
bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg.mhtml

bw> Confirmed?

bw> ========
bw> Second:
bw> ========

bw> What is happen to us?
bw> Please checkout.
bw> http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt
bw> or same file,
bw> http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt

bw> This is a test messages which demonstrate of sending e-mail
bw> in HTML format according to RFC 2557.

bw> And check out please.
bw> mhtml:http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt
bw> or same file,
bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt


bw> ========
bw> Third:
bw> ========

bw> Then we can change Content-Transfer-Encoding:
bw> from '7bit' to 'quoted-printable'.
bw> Checkout please.
bw> http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt


bw> - ----- q2.txt ------
bw> Content-Type: text/html; charset=us-ascii
bw> Content-Transfer-Encoding: quoted-printable

bw> =3C!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"=3E
bw> =3CHTML=3E
bw> =3CHEAD=3E=3CTITLE=3ETest message no. 3=3C/TITLE=3E
bw> =3C/HEAD=3E
bw> =3CBODY=3E
bw> =3CH1=3EThis is test message no. 3=3C/H1=3E

bw> =3CH2=3EHere comes the red test image:=3C/H2=3E
bw> =3CIMG
bw> SRC=3D"http://www.dsv.su.se/jpalme/mimetest/red-test-image.gif"
bw> BORDER=3D0 HEIGHT=3D32 WIDTH=3D117
bw> ALT=3D"red test image"=3E

bw> =3CH2=3EHere comes the yellow test image:=3C/H2=3E
bw> =3CIMG
bw> SRC=3D"http://www.dsv.su.se/jpalme/mimetest/yellow-test-image.gif"
bw> BORDER=3D0 HEIGHT=3D32 WIDTH=3D152
bw> ALT=3D"yellow test image"=3E

bw> =3CP=3EThis is the last line of this test message.
bw> =3C/BODY=3E=3C/HTML=3E
bw> - ----- q2.txt ------

bw> Where is HTML TAG?
bw> Do you know how to sanitise?
bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt

bw> The malicious code would be inserted by a malicious user,
bw> on Blog, Wiki, BBS with fileuploader ,etc.
bw> JPEG file or Gif file are also poisoned.

bw> There is possible XSS issue on Windows XPSP2 IE6 via MHTML.

bw> ========
bw> Reference:
bw> ========

bw> Using HTML in E-mail
bw> http://www.dsv.su.se/jpalme/ietf/mhtml.html

bw> MIME Encapsulation of Aggregate HTML Documents (MHTML)
bw> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/_cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml_.asp

bw> RFC 2045 - Multipurpose Internet Mail Extensions (MIME) Part One: Format of
bw> Internet Message Bodies
bw> http://www.faqs.org/rfcs/rfc2045.html

bw> ===========

bw> Sorry my bad English.
bw> Best Regards.

bw> ===========
bw> --
bw> bitlance winter

bw> _________________________________________________________________
bw> Don?t just search. Find. Check out the new MSN Search! 
bw> http://search.msn.click-url.com/go/onm00200636ave/direct/01/

bw> _______________________________________________
bw> Full-Disclosure - We believe in it.
bw> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
~/ZARAZA
??????? ?? ?????? ???, ?? ????????? ????????????. ??????????? ??? ?. (????)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ