But it requires that the user/potential victim go to the URL and save it, you say? That doesn't quite seem realistic at all in terms of an attack...
On Nov 14, 2010, at 9:56 AM, "MustLive" <[email protected]> wrote: > Hello Full-Disclosure! > > I want to warn you about Cross-Site Scripting vulnerability in Internet > Explorer. This is Post Persistent XSS (Save XSS) > (http://websecurity.com.ua/2641/). > > ------------------------- > Affected products: > ------------------------- > > Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet > Explorer 7 (7.00.5730.13), Internet Explorer 8 (8.00.6001.18702) and > previous versions. > > ---------- > Details: > ---------- > > This hole is similar to Cross-Site Scripting vulnerability in Internet > Explorer (http://websecurity.com.ua/1241/) - CVE-2007-4478 > (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4478). Which I > found in August 2007 and informed Microsoft, and they ignored it and didn't > fix it in IE6, and they didn't fixed it in IE7 (and also in IE6) after my > informing in 2008. But they silently and lamerly fixed it in IE8, as I found > in May 2010 when checked this hole in IE8. This vulnerability is different > from previous one in that, that the attack is going not via saving web page, > but saving web archive (mht/mhtml file) - similarly to Cross-Site Scripting > in Opera (http://websecurity.com.ua/2555/), which I wrote about in 2008. All > versions of IE6, IE7 and IE8 are affected to this hole. > > XSS (WASC-08): > > http://site/?--><script>alert("XSS")</script> > > For the attack it's needed to visit such URL and save html page as mht/mhtml > file (Web archive). For executing of the code it's needed that file was > saved not with mht or mhtml extension, but with htm or html extension. After > that when opening saved page in any browser the code will run. Attacking > code are saving inside of the file. > > This vulnerability - it's Saved XSS and Local XSS > (http://websecurity.com.ua/4219/). > > To make hidden attack an iframe can be used in code of the page: > > <iframe src='http://site/?--><script>alert("XSS")</script>' height='0' > width='0'></iframe> > > ------------ > Timeline: > ------------ > > 2010.11.12 - found vulnerability. > 2010.11.12 - disclosed at my site. > 2010.11.13 - informed Microsoft. > > I mentioned about this vulnerability at my site > (http://websecurity.com.ua/4677/). > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
