lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 3 Oct 2006 02:25:04 -0700 (PDT)
From: Lise Moorveld <lise_moorveld@...oo.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: IE UXSS (Universal XSS in IE,
	was Re: Microsoft Internet Information Services UTF-7 XSS
	Vulnerability [MS06-053])

I've been testing around a bit with IE 6 and Apache
and I have found that IE behaves a bit strangely...

If the webserver sets the charset in the response, IE
will not interpret the malicious string as being UTF-7
encoded, regardless of the 'auto-select' option in IE.
However, if I enable 'auto-select' *while* viewing the
error page with the malicious string, the XSS works!

For further testing I created a php-script that sets
the "Content-Type" header without setting the charset.
If 'auto-select' is disabled, XSS doesn't work. If
'auto-select' is enabled, XSS does work.

So it seems that, even though the webserver sets the
charset in the response, IE will do its automatic
encoding determination trick anyway, if you enable
'auto-select' while viewing the webpage. 

This means that, with a little additional social
engineering, UXSS is possible.

proof of concept:

http://www.apache.srv/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------IF_THIS_PAGE_DOESN'T_DISPLAY_CORRECTLY______ENABLE_'AUTO-SELECT'_IN_THE_VIEW->ENCODING_MENU_OF_YOUR_BROWSER------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

;)

--- Paul Szabo <psz@...hs.usyd.edu.au> wrote:

> Seems that I was wrong and Brian Eaton
> <eaton.lists@...il.com> was right:
> default apache installations seem to return an
> explicit charset in their
> error message. (Now I cannot explain how I convinced
> myself otherwise.)
> Then there is no Universal XSS against default
> Apache webservers...
> 
> Cheers,
> 
> Paul Szabo   psz@...hs.usyd.edu.au  
> http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics   University of
> Sydney    Australia
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ