| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 14 Nov 2010 12:14:32 -0800
From: Zach C <fxchip@...il.com>
To: MustLive <mustlive@...security.com.ua>
Cc: "<full-disclosure@...ts.grok.org.uk>" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Saved XSS vulnerability in Internet Explorer
But it requires that the user/potential victim go to the URL and save it, you say? That doesn't quite seem realistic at all in terms of an attack...
On Nov 14, 2010, at 9:56 AM, "MustLive" <mustlive@...security.com.ua> wrote:
> Hello Full-Disclosure!
>
> I want to warn you about Cross-Site Scripting vulnerability in Internet
> Explorer. This is Post Persistent XSS (Save XSS)
> (http://websecurity.com.ua/2641/).
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet
> Explorer 7 (7.00.5730.13), Internet Explorer 8 (8.00.6001.18702) and
> previous versions.
>
> ----------
> Details:
> ----------
>
> This hole is similar to Cross-Site Scripting vulnerability in Internet
> Explorer (http://websecurity.com.ua/1241/) - CVE-2007-4478
> (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4478). Which I
> found in August 2007 and informed Microsoft, and they ignored it and didn't
> fix it in IE6, and they didn't fixed it in IE7 (and also in IE6) after my
> informing in 2008. But they silently and lamerly fixed it in IE8, as I found
> in May 2010 when checked this hole in IE8. This vulnerability is different
> from previous one in that, that the attack is going not via saving web page,
> but saving web archive (mht/mhtml file) - similarly to Cross-Site Scripting
> in Opera (http://websecurity.com.ua/2555/), which I wrote about in 2008. All
> versions of IE6, IE7 and IE8 are affected to this hole.
>
> XSS (WASC-08):
>
> http://site/?--><script>alert("XSS")</script>
>
> For the attack it's needed to visit such URL and save html page as mht/mhtml
> file (Web archive). For executing of the code it's needed that file was
> saved not with mht or mhtml extension, but with htm or html extension. After
> that when opening saved page in any browser the code will run. Attacking
> code are saving inside of the file.
>
> This vulnerability - it's Saved XSS and Local XSS
> (http://websecurity.com.ua/4219/).
>
> To make hidden attack an iframe can be used in code of the page:
>
> <iframe src='http://site/?--><script>alert("XSS")</script>' height='0'
> width='0'></iframe>
>
> ------------
> Timeline:
> ------------
>
> 2010.11.12 - found vulnerability.
> 2010.11.12 - disclosed at my site.
> 2010.11.13 - informed Microsoft.
>
> I mentioned about this vulnerability at my site
> (http://websecurity.com.ua/4677/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists