Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cross-Site Scripting in Unparsable XML Files (GM#013-IE)

From: "Kevin Spett" <kspett () spidynamics com>
Date: Tue, 17 Jun 2003 11:19:20 -0400
<object type="application/xml" data="http://www.yahoo.com"; width="500"
height="500">
</object>


This produces a warning in IE6 before it does anything with it.


Kevin Spett
SPI Labs
http://www.spidynamics.com



Generaly html files are not well formed xml so it shouldnt be difficult to
get this to work on just about any site

--jelmer


----- Original Message ----- 
From: "GreyMagic Software" <security () greymagic com>
To: <full-disclosure () lists netsys com>
Sent: Tuesday, June 17, 2003 12:09 PM
Subject: [Full-disclosure] Cross-Site Scripting in Unparsable XML Files
(GM#013-IE)



GreyMagic Security Advisory GM#013-IE
=====================================

By GreyMagic Software, Israel.
17 Jun 2003.

Available in HTML format at http://security.greymagic.com/adv/gm013-ie/.

Topic: Cross-Site Scripting in Unparsable XML Files.

Discovery date: 18 Feb 2003.

Affected applications:
======================

Microsoft Internet Explorer 5.5 and 6.0.

Note that any other application that uses Internet Explorer's engine
(WebBrowser control) is affected as well (AOL Browser, MSN Explorer,

etc.).



Introduction:
=============

Internet Explorer automatically attempts to parse any XML file requested
individually by the browser. When the parsing process is successful, a
dynamic tree of the various XML elements is presented. However, when a
parsing error occurs Internet Explorer displays the parse error along

with

the URL of the requested XML file.


Discussion:
===========

We have found that in some cases the displayed URL is not filtered
appropriately, and may cause HTML that was passed in the querystring of

the

URL to be rendered by the browser. This creates a classic cross-site
scripting attack in almost any XML file that MSXML fails to read.
Practically, this means that leaving XML files on your server that can't

be

parsed correctly by Internet Explorer and MSXML is exposing the site to

a

global Cross-Site Scripting attack.

We have been able to reproduce this problem in various setups, but we
couldn't pinpoint the vulnerable component reliably enough. It is most
likely an MSXML issue, and not a flaw in Internet Explorer itself.


Exploit:
========

This sample shows the basic URL for injecting content:





http://host.with.unparsable.xml.file/flaw.xml?<script>alert(document.cookie)

</script>


Demonstration:
==============

We put together a simple proof of concept demonstration, which can be

found

at http://security.greymagic.com/adv/gm013-ie/.


Solution:
=========

Microsoft was notified on 20-Feb-2003. They reported that they were able

to

reproduce this flaw on IE6 Gold, and no other version. Our research

showed

different, yet inconsistent results (see "Tested on" section for

details).



Tested on:
==========

IE5.5 NT4.
IE6 Win98.
IE6 Win2000.


Disclaimer:
===========

The information in this advisory and any of its demonstrations is

provided

"as is" without warranty of any kind.

GreyMagic Software is not liable for any direct or indirect damages

caused

as a result of using the information or demonstrations provided in any

part

of this advisory.


Feedback:
=========

Please mail any questions or comments to security () greymagic com.

- Copyright © 2003 GreyMagic Software.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: