Re: Cross-Site Scripting in Unparsable XML Files (GM#013-IE)

[Matt Moore <matt.moore () pentest-limited com>]

Hello,

On Tue, 17 Jun 2003 10:09:51 "GMT"
GreyMagic Software <security () greymagic com> wrote:

> GreyMagic Security Advisory GM#013-IE
> =====================================
...
> Topic: Cross-Site Scripting in Unparsable XML Files.
>
> Discovery date: 18 Feb 2003.

I also reported this to Microsoft - sometime around May or June 2002. In the exchange of emails I had with them, they 
confirmed that it was indeed due to the MSXML parser. I'd tested the flaw on IE 5 and 5.5 (Win2k.) I do remember that 
MS said they would fix it in a service pack - although they didn't specify whether it was an IE service pack or Win2k 
(one would assume Win2k as MSXML isn't a part of IE? Not sure about that). 

Several Application Server default installs leave files visible which can be used to exploit this bug (e.g. Oracle 9iAS 
9.0.2 has several .dtd files visible which can be used to cause the MSXML parser to generate the error page).

I copied Steve Christey at Mitre on a couple of the emails to MS so this may already have a CAN entry. (Hello Steve)

Over the course of at least four months I exchanged several emails with someone called 'Terry' from the MS Security 
Response Centre. However, I never got any definitive answer as to whether the problem was fixed or not. 

Obviously not.

regards,

Matt

--
Matt Moore <matt.moore (at) pentest-limited.com>
E073 2975 0D69 B250 C225
A03E 30A8 AE27 A4F7 2A8A