Full Disclosure mailing list archives
Re: IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])
From: Lise Moorveld <lise_moorveld () yahoo com>
Date: Tue, 3 Oct 2006 02:25:04 -0700 (PDT)
I've been testing around a bit with IE 6 and Apache and I have found that IE behaves a bit strangely... If the webserver sets the charset in the response, IE will not interpret the malicious string as being UTF-7 encoded, regardless of the 'auto-select' option in IE. However, if I enable 'auto-select' *while* viewing the error page with the malicious string, the XSS works! For further testing I created a php-script that sets the "Content-Type" header without setting the charset. If 'auto-select' is disabled, XSS doesn't work. If 'auto-select' is enabled, XSS does work. So it seems that, even though the webserver sets the charset in the response, IE will do its automatic encoding determination trick anyway, if you enable 'auto-select' while viewing the webpage. This means that, with a little additional social engineering, UXSS is possible. proof of concept: http://www.apache.srv/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------IF_THIS_PAGE_DOESN'T_DISPLAY_CORRECTLY______ENABLE_'AUTO-SELECT'_IN_THE_VIEW->ENCODING_MENU_OF_YOUR_BROWSER------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ;) --- Paul Szabo <psz () maths usyd edu au> wrote:
Seems that I was wrong and Brian Eaton <eaton.lists () gmail com> was right: default apache installations seem to return an explicit charset in their error message. (Now I cannot explain how I convinced myself otherwise.) Then there is no Universal XSS against default Apache webservers... Cheers, Paul Szabo psz () maths usyd edu au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia _______________________________________________ Full-Disclosure - We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053]) Paul Szabo (Oct 02)
- Re: IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053]) Brian Eaton (Oct 02)
- <Possible follow-ups>
- Re: IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053]) Paul Szabo (Oct 02)
- Re: IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053]) Lise Moorveld (Oct 03)