Full Disclosure mailing list archives
Re: Saved XSS vulnerability in Internet Explorer
From: "MustLive" <mustlive () websecurity com ua>
Date: Thu, 18 Nov 2010 18:39:54 +0200
Hello Zach and Christian.
But it requires that the user/potential victim go to the URL and save it, you say? That doesn't quite seem realistic at all in terms of an attack...
Yes, this vulnerability is complex and it'll be not easy to attack. But hidden iframe can be used, as I wrote in my advisory, to conduct this attack hiddenly. And this kind of vulnerability can be elevated from XSS to Code Execution (as I wrote in below-mentioned articles). As first hole in IE (which I disclosed in 2007), in Google Chrome (which I disclosed in 2008), in Opera (which I disclosed in 2008), in second hole in IE (which I disclosed recently). And in hole in Ad Muncher (which allows to conduct this attack via any browser at all), which I found in 2006 and which I wrote about in my article Local XSS (I mentioned a link to English version of it in my advisory).
If MustLive says so, it must be realistic...
This vulnerability is complex, but there is some possibility for successful attack. So taking into account complexity of vulnerability, I gave it low risk. Much lower than Mitre gave in CVE-2007-4478 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4478) and 3APA3A gave in SecurityVulns ID: 8081 (http://securityvulns.ru/news/Microsoft/IE/saved-css.html). I gave low risk (1/5 or 2/10). Mitre gave 4.3 (medium risk): CVSS v2 Base Score: 4.3 (MEDIUM) Impact Subscore: 2.9 Exploitability Subscore: 8.6 3APA3A gave 3/10. So other people consider it even more dangerous then I do :-). And taking into account that Microsoft fixed it in IE (fixed hiddenly and lamerly after two years in IE8), Google fixed it in Chrome (quickly) and Opera fix it (fixed hiddenly and lamerly after one year in Opera 10) - then it looks like browser vendors also consider such holes as dangerous. You guys also can read my articles Code Execution via XSS in Internet Explorer (http://securityvulns.ru/Udocument911.html) and Cross-browser Code Execution via XSS (http://securityvulns.ru/Udocument941.html), which I wrote in 2008 concerning this kind of vulnerabilities in different browsers which I found. How the attack can be elevated from XSS to CE. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: "Zach C" <fxchip () gmail com> To: "MustLive" <mustlive () websecurity com ua> Cc: <full-disclosure () lists grok org uk> Sent: Sunday, November 14, 2010 10:14 PM Subject: Re: [Full-disclosure] Saved XSS vulnerability in Internet Explorer But it requires that the user/potential victim go to the URL and save it, you say? That doesn't quite seem realistic at all in terms of an attack... On Nov 14, 2010, at 9:56 AM, "MustLive" <mustlive () websecurity com ua> wrote:
Hello Full-Disclosure! I want to warn you about Cross-Site Scripting vulnerability in Internet Explorer. This is Post Persistent XSS (Save XSS) (http://websecurity.com.ua/2641/). ------------------------- Affected products: ------------------------- Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet Explorer 7 (7.00.5730.13), Internet Explorer 8 (8.00.6001.18702) and previous versions. ---------- Details: ---------- This hole is similar to Cross-Site Scripting vulnerability in Internet Explorer (http://websecurity.com.ua/1241/) - CVE-2007-4478 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4478). Which I found in August 2007 and informed Microsoft, and they ignored it and didn't fix it in IE6, and they didn't fixed it in IE7 (and also in IE6) after my informing in 2008. But they silently and lamerly fixed it in IE8, as I found in May 2010 when checked this hole in IE8. This vulnerability is different from previous one in that, that the attack is going not via saving web page, but saving web archive (mht/mhtml file) - similarly to Cross-Site Scripting in Opera (http://websecurity.com.ua/2555/), which I wrote about in 2008. All versions of IE6, IE7 and IE8 are affected to this hole. XSS (WASC-08): http://site/?--><script>alert("XSS")</script> For the attack it's needed to visit such URL and save html page as mht/mhtml file (Web archive). For executing of the code it's needed that file was saved not with mht or mhtml extension, but with htm or html extension. After that when opening saved page in any browser the code will run. Attacking code are saving inside of the file. This vulnerability - it's Saved XSS and Local XSS (http://websecurity.com.ua/4219/). To make hidden attack an iframe can be used in code of the page: <iframe src='http://site/?--><script>alert("XSS")</script>' height='0' width='0'></iframe> ------------ Timeline: ------------ 2010.11.12 - found vulnerability. 2010.11.12 - disclosed at my site. 2010.11.13 - informed Microsoft. I mentioned about this vulnerability at my site (http://websecurity.com.ua/4677/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Saved XSS vulnerability in Internet Explorer MustLive (Nov 14)
- Re: Saved XSS vulnerability in Internet Explorer Zach C (Nov 14)
- Re: Saved XSS vulnerability in Internet Explorer Christian Sciberras (Nov 14)
- Re: Saved XSS vulnerability in Internet Explorer Jacky Jack (Nov 15)
- Re: Saved XSS vulnerability in Internet Explorer MustLive (Nov 18)
- Re: Saved XSS vulnerability in Internet Explorer Christian Sciberras (Nov 14)
- Re: Saved XSS vulnerability in Internet Explorer MustLive (Nov 18)
- Re: Saved XSS vulnerability in Internet Explorer Jacky Jack (Nov 18)
- Re: Saved XSS vulnerability in Internet Explorer Zach C (Nov 14)