...rename it and run it again. If MustLive says so, it must be realistic...
On Sun, Nov 14, 2010 at 9:14 PM, Zach C <[email protected]> wrote: > But it requires that the user/potential victim go to the URL and save it, > you say? That doesn't quite seem realistic at all in terms of an attack... > > On Nov 14, 2010, at 9:56 AM, "MustLive" <[email protected]> > wrote: > > > Hello Full-Disclosure! > > > > I want to warn you about Cross-Site Scripting vulnerability in Internet > > Explorer. This is Post Persistent XSS (Save XSS) > > (http://websecurity.com.ua/2641/). > > > > ------------------------- > > Affected products: > > ------------------------- > > > > Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet > > Explorer 7 (7.00.5730.13), Internet Explorer 8 (8.00.6001.18702) and > > previous versions. > > > > ---------- > > Details: > > ---------- > > > > This hole is similar to Cross-Site Scripting vulnerability in Internet > > Explorer (http://websecurity.com.ua/1241/) - CVE-2007-4478 > > (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4478). Which I > > found in August 2007 and informed Microsoft, and they ignored it and > didn't > > fix it in IE6, and they didn't fixed it in IE7 (and also in IE6) after my > > informing in 2008. But they silently and lamerly fixed it in IE8, as I > found > > in May 2010 when checked this hole in IE8. This vulnerability is > different > > from previous one in that, that the attack is going not via saving web > page, > > but saving web archive (mht/mhtml file) - similarly to Cross-Site > Scripting > > in Opera (http://websecurity.com.ua/2555/), which I wrote about in 2008. > All > > versions of IE6, IE7 and IE8 are affected to this hole. > > > > XSS (WASC-08): > > > > http://site/?--><script>alert("XSS")</script> > > > > For the attack it's needed to visit such URL and save html page as > mht/mhtml > > file (Web archive). For executing of the code it's needed that file was > > saved not with mht or mhtml extension, but with htm or html extension. > After > > that when opening saved page in any browser the code will run. Attacking > > code are saving inside of the file. > > > > This vulnerability - it's Saved XSS and Local XSS > > (http://websecurity.com.ua/4219/). > > > > To make hidden attack an iframe can be used in code of the page: > > > > <iframe src='http://site/?--><script>alert("XSS")</script>' height='0' > > width='0'></iframe> > > > > ------------ > > Timeline: > > ------------ > > > > 2010.11.12 - found vulnerability. > > 2010.11.12 - disclosed at my site. > > 2010.11.13 - informed Microsoft. > > > > I mentioned about this vulnerability at my site > > (http://websecurity.com.ua/4677/). > > > > Best wishes & regards, > > MustLive > > Administrator of Websecurity web site > > http://websecurity.com.ua > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
