a good example to see the "incorrect handling": <!--[if<img/onerror=alert(1) src=]> //executed. <!--[i<img/onerror=alert(1) src=]> //not executed.
On Mon, Aug 8, 2011 at 2:23 PM, Christian Sciberras <[email protected]>wrote: > I think it's worth to note that MSIE expects an *expression* in the > conditional (it's a feature). > Hence even if you disable direct XSS, there still would probably be > more ways an *expression* could be used to write HTML code. > > As such, I don't think they should be "fixing" this (since it is > intended), but rather warn developers about it's existence. > > On the other hand, if developers are writing unfiltered HTML inside > this conditional, I think there are worse issues than this. > I've always believed in the philosophy of making browsers work as > expected instead of expecting them to comply and fix my issues. > Especially if the browser in question is Internet Explorer ;-). > > Cheers, > Chris. > > > > On Mon, Aug 8, 2011 at 5:59 AM, CnCxzSec衰仔 <[email protected]> wrote: > > this is a normal use, but <!--[if<img/onerror=alert(1) src=]> is an > unnormal > > use. IE should regard this as an HTML comment instead of a > downlevel-hidden > > comment, so the HTML tags inside the COMMENT should not be evaled. > > On Mon, Aug 8, 2011 at 11:30 AM, Andrew Farmer <[email protected]> > wrote: > >> > >> On 2011-08-07, at 19:53, CnCxzSec衰仔 wrote: > >> > hi all, here is an interesting trick to perform an xss attack with IE > >> > browsers. > >> > > >> > some rich text applications such as email and blog, may provide HTML > >> > uses > >> > but have a policy to block the on-event execution to prevent the XSS > >> > attack. > >> > However, this applications may also allow the HTML notes uses,for > >> > instance > >> > "<!-- -->" > >> > >> Any such applications are likely to also be vulnerable to a simpler > attack > >> based on "downlevel-hidden" conditional comments: > >> > >> <!--[if IE]> > >> <script>anything you want can go here, presumably</script> > >> <![endif]--> > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
