Full Disclosure mailing list archives
Re: Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Mon, 28 Feb 2005 21:29:08 +0300
Dear bitlance winter, Using MHTML to bypass content filtering for scripting was at least reported here by offtopic as well as few more tricks. You may want to read this: offtopic, 3APA3A. Bypassing client application protection techniques http://www.security.nnov.ru/advisories/bypassing.asp and this 3APA3A. Bypassing content filtering whitepaper http://www.security.nnov.ru/advisories/content.asp --Monday, February 28, 2005, 6:11:31 PM, you wrote to full-disclosure () lists netsys com: bw> Hi, LIST. bw> ======== bw> subject: bw> ======== bw> Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate bw> HTML Documents bw> ======== bw> NOTE: bw> ======== bw> This bug had been provided by an unknown person on his site. bw> This bug is widely known in Japan since August, 2004. bw> (These news was reported.) bw> Now his site is closed. bw> Some engineers prevented this bug. They are maintaining Web services. bw> Wiki, Webmail, Blog, BBS, those might be dangerous. bw> ======== bw> First: bw> ======== bw> I want to show the following first. Please checkout using IE on XPSP2. bw> The cat is here. bw> http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg bw> And the cat is a script kitty. bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg bw> You see? executing JavaScript? Ok. bw> If you are using old IE or Windows, try this one. bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg.mhtml bw> Confirmed? bw> ======== bw> Second: bw> ======== bw> What is happen to us? bw> Please checkout. bw> http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt bw> or same file, bw> http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt bw> This is a test messages which demonstrate of sending e-mail bw> in HTML format according to RFC 2557. bw> And check out please. bw> mhtml:http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt bw> or same file, bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt bw> ======== bw> Third: bw> ======== bw> Then we can change Content-Transfer-Encoding: bw> from '7bit' to 'quoted-printable'. bw> Checkout please. bw> http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt bw> - ----- q2.txt ------ bw> Content-Type: text/html; charset=us-ascii bw> Content-Transfer-Encoding: quoted-printable bw> =3C!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"=3E bw> =3CHTML=3E bw> =3CHEAD=3E=3CTITLE=3ETest message no. 3=3C/TITLE=3E bw> =3C/HEAD=3E bw> =3CBODY=3E bw> =3CH1=3EThis is test message no. 3=3C/H1=3E bw> =3CH2=3EHere comes the red test image:=3C/H2=3E bw> =3CIMG bw> SRC=3D"http://www.dsv.su.se/jpalme/mimetest/red-test-image.gif"; bw> BORDER=3D0 HEIGHT=3D32 WIDTH=3D117 bw> ALT=3D"red test image"=3E bw> =3CH2=3EHere comes the yellow test image:=3C/H2=3E bw> =3CIMG bw> SRC=3D"http://www.dsv.su.se/jpalme/mimetest/yellow-test-image.gif"; bw> BORDER=3D0 HEIGHT=3D32 WIDTH=3D152 bw> ALT=3D"yellow test image"=3E bw> =3CP=3EThis is the last line of this test message. bw> =3C/BODY=3E=3C/HTML=3E bw> - ----- q2.txt ------ bw> Where is HTML TAG? bw> Do you know how to sanitise? bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt bw> The malicious code would be inserted by a malicious user, bw> on Blog, Wiki, BBS with fileuploader ,etc. bw> JPEG file or Gif file are also poisoned. bw> There is possible XSS issue on Windows XPSP2 IE6 via MHTML. bw> ======== bw> Reference: bw> ======== bw> Using HTML in E-mail bw> http://www.dsv.su.se/jpalme/ietf/mhtml.html bw> MIME Encapsulation of Aggregate HTML Documents (MHTML) bw> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/_cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml_.asp bw> RFC 2045 - Multipurpose Internet Mail Extensions (MIME) Part One: Format of bw> Internet Message Bodies bw> http://www.faqs.org/rfcs/rfc2045.html bw> =========== bw> Sorry my bad English. bw> Best Regards. bw> =========== bw> -- bw> bitlance winter bw> _________________________________________________________________ bw> Don’t just search. Find. Check out the new MSN Search! bw> http://search.msn.click-url.com/go/onm00200636ave/direct/01/ bw> _______________________________________________ bw> Full-Disclosure - We believe in it. bw> Charter: http://lists.netsys.com/full-disclosure-charter.html -- ~/ZARAZA Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
![http://www.dsv.su.se/jpalme/mimetest/red-test-image.gif"](http://www.dsv.su.se/jpalme/mimetest/red-test-image.gif"){kind=link}
![http://www.dsv.su.se/jpalme/mimetest/yellow-test-image.gif"](http://www.dsv.su.se/jpalme/mimetest/yellow-test-image.gif"){kind=link}
Current thread:
- Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML bitlance winter (Feb 28)
- Re: Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML 3APA3A (Feb 28)
- Re: Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML bitlance winter (Mar 01)
- Re: Possible XSS issue on Windows XPSP2 IE6 via MIMEEncapsulation of Aggregate HTML Jerome ATHIAS (Mar 01)
- Re: Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML 3APA3A (Feb 28)