Full Disclosure mailing list archives
Re: Internet Explorer 6 Meta Refresh Parsing Weakness
From: tuytumadre () att net
Date: Thu, 18 Aug 2005 02:48:56 +0000
Why should Microsoft be accountable for the mistakes of webmasters? Have you even tested any of ther other browsers? Even if you have, a webmaster should indeed be responsible for blindly redirecting a user to a url supplied in input. This isn't an Internet Explorer mistake - it is a webmaster mistake, and quite a silly one at that. Btw, if this message appears in your mailboxes twice, it's because I sent it twice (the first time I received a DNS failure message). Regards, Paul Greyhats Security http://greyhatsecurity.org -------------- Original message from Moritz Naumann <info () moritz-naumann com>: --------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SA0001 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++ Internet Explorer 6 Meta Refresh Parsing Weakness +++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ PUBLISHED ON Aug 17, 2005 PUBLISHED AT http://moritz-naumann.com/adv/0001/ie6meta/0001.txt PUBLISHED BY Moritz Naumann IT Consulting & Services Hamburg/Germany http://moritz-naumann.com/ info AT moritz HYPHON naumann D0T com GPG key: http://moritz-naumann.com/keys/0x277F060C.asc AFFECTED PRODUCT OR SERVICE Microsoft Internet Explorer http://www.microsoft.com/windows/ie/ AFFECTED VERSION Version 6 up to release 6.0.2900.2180 (SP2 + all patches) Possibly versions < 6.0 (untested) BACKGROUND While the format of META http-equiv="refresh" and META name="refresh" type HTML headers was never exactly defined by they W3C, web browsers have been interpreting this instruction since early releases. Web application developers got used to the clients' behaviour and using this tag to initiate URL redirections became common. As most web browsers, Internet Explorer 6 interprets this tag, too. However, in contrary to other web browsers, IE6's HTML parser uses a pretty loose rule set which facilitates injection of malicious code into it when browsing web applications which insufficiently sanitize user supplied input. For example, a web application may use the following PHP code (redirect.php) to redirect a web browser to a different URL:$goto = $_GET["goto"]; // Input sanitization omitted$meta1 = ''; echo $meta.$goto; ?> Assuming this script is hosted in the web root on example.org, the following HTML code would be returned on a request to http://example.org/redirect.php?goto=localhost : Obviously, a web application developer must make sure that no malicious code can be injected along the 'goto' parameter passed via the HTTP GET method. A common method to sanitize user input would be to hardcode the protocol part of the URL ('http://') contained in 'goto', and to URL-encode any double quotes. This would assumely make it difficult to inject any malicious client side code. ISSUE Unlickily, and in contrary to other web browsers, Internet Explorer 6 allows multiple 'URL=' parts in the 'content' attribute and will only interpret the last value given. Resulting from this, it is still possible to inject code into a web application using the input sanitization described above which will be executed when using Internet Explorer 6. For example, Internet Explorer 6 will interpret the following statement: URL parameter: goto=;URL=javascript:alert('XSS'); Resulting META tag: content="0; URL=http://;URL=javascript:alert('XSS');"> Resulting behaviour: Displays Javascript alert with text 'XSS' Making use of Internet Explorers loose parsing, a code such as this value of the 'goto' URL parameter will work, too: %20%20%20%20%20;UrL=jaVAscRIpt:alert('XSS'); will work, too. As any of ';', 'UrL', '=', 'jaVAscRIpt' and ':' may be legal content passed to the traget web site (think of a search term passed to a search engine), sanitizing this is not too easy. As the expected behaviour would be that a web browser would either return an error message for incorrect syntax or would attempt to interpret anything after the first 'URL=' part as the target URL, Internet Explorer behaves in a pretty uncommon way. A fix on the user agent side would be the best solution for this issue. WORKAROUND Client: Disable META REFRESH in Security Settings for the Internet Zone. Server: Perform thorough sanitization on your web applications. SOLUTIONS Microsoft will not provide a patch. TIMELINE Aug 04, 2005: Vendor informed Aug 04, 2005: First vendor reply Aug 17, 2005: Vendor finishes investigation, declares itself unaccountabile CREDIT N/A LICENSE Creative Commons Attribution-ShareAlike License Germany http://creativecommons.org/licenses/by-sa/2.0/de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDA6WGn6GkvSd/BgwRAnIRAJ9sK7ub/JwoBwNQjtC8j4QxiVl3kwCfUNqi o+WaJkCQ9LUzdLtNwdBungg= =lNVL -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Internet Explorer 6 Meta Refresh Parsing Weakness tuytumadre (Aug 17)
- Re: Internet Explorer 6 Meta Refresh Parsing Weakness Moritz Naumann (Aug 19)