hi all, here is an interesting trick to perform an xss attack with IE browsers.
some rich text applications such as email and blog, may provide HTML uses but have a policy to block the on-event execution to prevent the XSS attack. However, this applications may also allow the HTML notes uses,for instance "<!-- -->" but.. code1(saved as poc1.html): <!--<img/onerror=alert(1) src=]> with code1, IE handles the "IMG tag" as an HTML note, and of course, IE will not execute the onerror event. code2(saved as poc2.html): <!--[if<img/onerror=alert(1) src=]> with code2, IE handles <img/onxxxxx as a real and valid HTML tag, and we can see the alert js evaled! IE can perform better webpages by using the css-hack trick <!--[if IE 6]>, this XSS attack trick may be a derivative from this. I really regard this as an IE vulnerability and suggest Microsoft to fix it. thanks Sogili for offering me an XSS similar to this. best regards!
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
