hi greymagic, First off i can't reproduce this on my fully patched ie6 Second you should be able to have ie render any html page as a xml file like this <object type="application/xml" data="http://www.yahoo.com"; width="500" height="500"> </object> Generaly html files are not well formed xml so it shouldnt be difficult to get this to work on just about any site --jelmer ----- Original Message ----- From: "GreyMagic Software" <security@greymagic.com> To: <full-disclosure@lists.netsys.com> Sent: Tuesday, June 17, 2003 12:09 PM Subject: [Full-Disclosure] Cross-Site Scripting in Unparsable XML Files (GM#013-IE) > GreyMagic Security Advisory GM#013-IE > ===================================== > > By GreyMagic Software, Israel. > 17 Jun 2003. > > Available in HTML format at http://security.greymagic.com/adv/gm013-ie/. > > Topic: Cross-Site Scripting in Unparsable XML Files. > > Discovery date: 18 Feb 2003. > > Affected applications: > ====================== > > Microsoft Internet Explorer 5.5 and 6.0. > > Note that any other application that uses Internet Explorer's engine > (WebBrowser control) is affected as well (AOL Browser, MSN Explorer, etc.). > > > Introduction: > ============= > > Internet Explorer automatically attempts to parse any XML file requested > individually by the browser. When the parsing process is successful, a > dynamic tree of the various XML elements is presented. However, when a > parsing error occurs Internet Explorer displays the parse error along with > the URL of the requested XML file. > > > Discussion: > =========== > > We have found that in some cases the displayed URL is not filtered > appropriately, and may cause HTML that was passed in the querystring of the > URL to be rendered by the browser. This creates a classic cross-site > scripting attack in almost any XML file that MSXML fails to read. > Practically, this means that leaving XML files on your server that can't be > parsed correctly by Internet Explorer and MSXML is exposing the site to a > global Cross-Site Scripting attack. > > We have been able to reproduce this problem in various setups, but we > couldn't pinpoint the vulnerable component reliably enough. It is most > likely an MSXML issue, and not a flaw in Internet Explorer itself. > > > Exploit: > ======== > > This sample shows the basic URL for injecting content: > > http://host.with.unparsable.xml.file/flaw.xml?<script>alert(document.cookie) > </script> > > > Demonstration: > ============== > > We put together a simple proof of concept demonstration, which can be found > at http://security.greymagic.com/adv/gm013-ie/. > > > Solution: > ========= > > Microsoft was notified on 20-Feb-2003. They reported that they were able to > reproduce this flaw on IE6 Gold, and no other version. Our research showed > different, yet inconsistent results (see "Tested on" section for details). > > > Tested on: > ========== > > IE5.5 NT4. > IE6 Win98. > IE6 Win2000. > > > Disclaimer: > =========== > > The information in this advisory and any of its demonstrations is provided > "as is" without warranty of any kind. > > GreyMagic Software is not liable for any direct or indirect damages caused > as a result of using the information or demonstrations provided in any part > of this advisory. > > > Feedback: > ========= > > Please mail any questions or comments to security@greymagic.com. > > - Copyright © 2003 GreyMagic Software. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
