Re: Cross-Site Scripting in Unparsable XML Files (GM#013-IE)

[jelmer <kuper237 () planet nl>]

hi greymagic,

First off i can't reproduce this on my fully patched ie6

Second you should be able to have ie render any html page as a xml file like
this

<object type="application/xml" data="http://www.yahoo.com"; width="500"
height="500">
</object>

Generaly html files are not well formed xml so it shouldnt be difficult to
get this to work on just about any site

--jelmer


----- Original Message ----- 
From: "GreyMagic Software" <security () greymagic com>
To: <full-disclosure () lists netsys com>
Sent: Tuesday, June 17, 2003 12:09 PM
Subject: [Full-disclosure] Cross-Site Scripting in Unparsable XML Files
(GM#013-IE)


> GreyMagic Security Advisory GM#013-IE
> =====================================
>
> By GreyMagic Software, Israel.
> 17 Jun 2003.
>
> Available in HTML format at http://security.greymagic.com/adv/gm013-ie/.
>
> Topic: Cross-Site Scripting in Unparsable XML Files.
>
> Discovery date: 18 Feb 2003.
>
> Affected applications:
> ======================
>
> Microsoft Internet Explorer 5.5 and 6.0.
>
> Note that any other application that uses Internet Explorer's engine
> (WebBrowser control) is affected as well (AOL Browser, MSN Explorer,
etc.).
> Introduction:
> =============
>
> Internet Explorer automatically attempts to parse any XML file requested
> individually by the browser. When the parsing process is successful, a
> dynamic tree of the various XML elements is presented. However, when a
> parsing error occurs Internet Explorer displays the parse error along with
> the URL of the requested XML file.
>
>
> Discussion:
> ===========
>
> We have found that in some cases the displayed URL is not filtered
> appropriately, and may cause HTML that was passed in the querystring of
the
> URL to be rendered by the browser. This creates a classic cross-site
> scripting attack in almost any XML file that MSXML fails to read.
> Practically, this means that leaving XML files on your server that can't
be
> parsed correctly by Internet Explorer and MSXML is exposing the site to a
> global Cross-Site Scripting attack.
>
> We have been able to reproduce this problem in various setups, but we
> couldn't pinpoint the vulnerable component reliably enough. It is most
> likely an MSXML issue, and not a flaw in Internet Explorer itself.
>
>
> Exploit:
> ========
>
> This sample shows the basic URL for injecting content:
http://host.with.unparsable.xml.file/flaw.xml?<script>alert(document.cookie)
> </script>
>
>
> Demonstration:
> ==============
>
> We put together a simple proof of concept demonstration, which can be
found
> at http://security.greymagic.com/adv/gm013-ie/.
>
>
> Solution:
> =========
>
> Microsoft was notified on 20-Feb-2003. They reported that they were able
to
> reproduce this flaw on IE6 Gold, and no other version. Our research showed
> different, yet inconsistent results (see "Tested on" section for details).
>
>
> Tested on:
> ==========
>
> IE5.5 NT4.
> IE6 Win98.
> IE6 Win2000.
>
>
> Disclaimer:
> ===========
>
> The information in this advisory and any of its demonstrations is provided
> "as is" without warranty of any kind.
>
> GreyMagic Software is not liable for any direct or indirect damages caused
> as a result of using the information or demonstrations provided in any
part
> of this advisory.
>
>
> Feedback:
> =========
>
> Please mail any questions or comments to security () greymagic com.
>
> - Copyright © 2003 GreyMagic Software.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html