Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML

From: "bitlance winter" <bitlance_3 () hotmail com>
Date: Mon, 28 Feb 2005 15:11:31 +0000
Hi, LIST.

========
subject:
========
Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML Documents 

========
NOTE:
========
This bug had been provided by an unknown person on his site.
This bug is widely known in Japan since August, 2004.
(These news was reported.)
Now his site is closed.
Some engineers prevented this bug. They are maintaining Web services.
Wiki, Webmail, Blog, BBS, those might be dangerous.

========
First:
========

I want to show the following first. Please checkout using IE on XPSP2.

The cat is here.
http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg

And the cat is a script kitty.
mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg

You see? executing JavaScript? Ok.
If you are using old IE or Windows, try this one.
mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg.mhtml

Confirmed?

========
Second:
========

What is happen to us?
Please checkout.
http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt
or same file,
http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt

This is a test messages which demonstrate of sending e-mail
in HTML format according to RFC 2557.

And check out please.
mhtml:http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt
or same file,
mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt


========
Third:
========

Then we can change Content-Transfer-Encoding:
from '7bit' to 'quoted-printable'.
Checkout please.
http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt


- ----- q2.txt ------
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

=3C!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"=3E
=3CHTML=3E
=3CHEAD=3E=3CTITLE=3ETest message no. 3=3C/TITLE=3E
=3C/HEAD=3E
=3CBODY=3E
=3CH1=3EThis is test message no. 3=3C/H1=3E

=3CH2=3EHere comes the red test image:=3C/H2=3E
=3CIMG SRC=3D"http://www.dsv.su.se/jpalme/mimetest/red-test-image.gif";
BORDER=3D0 HEIGHT=3D32 WIDTH=3D117
ALT=3D"red test image"=3E

=3CH2=3EHere comes the yellow test image:=3C/H2=3E
=3CIMG SRC=3D"http://www.dsv.su.se/jpalme/mimetest/yellow-test-image.gif";
BORDER=3D0 HEIGHT=3D32 WIDTH=3D152
ALT=3D"yellow test image"=3E

=3CP=3EThis is the last line of this test message.
=3C/BODY=3E=3C/HTML=3E
- ----- q2.txt ------

Where is HTML TAG?
Do you know how to sanitise?
mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt

The malicious code would be inserted by a malicious user,
on Blog, Wiki, BBS with fileuploader ,etc.
JPEG file or Gif file are also poisoned.

There is possible XSS issue on Windows XPSP2 IE6 via MHTML.

========
Reference:
========

Using HTML in E-mail
http://www.dsv.su.se/jpalme/ietf/mhtml.html

MIME Encapsulation of Aggregate HTML Documents (MHTML)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/_cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml_.asp
RFC 2045 - Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies 
http://www.faqs.org/rfcs/rfc2045.html

===========

Sorry my bad English.
Best Regards.

===========
--
bitlance winter

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: