lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <004101cb8425$4f65f750$c103fea9@ml>
Date: Sun, 14 Nov 2010 19:56:12 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Saved XSS vulnerability in Internet Explorer

Hello Full-Disclosure!

I want to warn you about Cross-Site Scripting vulnerability in Internet
Explorer. This is Post Persistent XSS (Save XSS)
(http://websecurity.com.ua/2641/).

-------------------------
Affected products:
-------------------------

Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet
Explorer 7 (7.00.5730.13), Internet Explorer 8 (8.00.6001.18702) and
previous versions.

----------
Details:
----------

This hole is similar to Cross-Site Scripting vulnerability in Internet
Explorer (http://websecurity.com.ua/1241/) - CVE-2007-4478
(http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4478). Which I
found in August 2007 and informed Microsoft, and they ignored it and didn't
fix it in IE6, and they didn't fixed it in IE7 (and also in IE6) after my
informing in 2008. But they silently and lamerly fixed it in IE8, as I found
in May 2010 when checked this hole in IE8. This vulnerability is different
from previous one in that, that the attack is going not via saving web page,
but saving web archive (mht/mhtml file) - similarly to Cross-Site Scripting
in Opera (http://websecurity.com.ua/2555/), which I wrote about in 2008. All
versions of IE6, IE7 and IE8 are affected to this hole.

XSS (WASC-08):

http://site/?--><script>alert("XSS")</script>

For the attack it's needed to visit such URL and save html page as mht/mhtml
file (Web archive). For executing of the code it's needed that file was
saved not with mht or mhtml extension, but with htm or html extension. After
that when opening saved page in any browser the code will run. Attacking
code are saving inside of the file.

This vulnerability - it's Saved XSS and Local XSS
(http://websecurity.com.ua/4219/).

To make hidden attack an iframe can be used in code of the page:

<iframe src='http://site/?--><script>alert("XSS")</script>' height='0'
width='0'></iframe>

------------
Timeline:
------------

2010.11.12 - found vulnerability.
2010.11.12 - disclosed at my site.
2010.11.13 - informed Microsoft.

I mentioned about this vulnerability at my site
(http://websecurity.com.ua/4677/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ