> <object type="application/xml" data="http://www.yahoo.com"; width="500" > height="500"> > </object> This produces a warning in IE6 before it does anything with it. Kevin Spett SPI Labs http://www.spidynamics.com > Generaly html files are not well formed xml so it shouldnt be difficult to > get this to work on just about any site > > --jelmer > > > ----- Original Message ----- > From: "GreyMagic Software" <security@greymagic.com> > To: <full-disclosure@lists.netsys.com> > Sent: Tuesday, June 17, 2003 12:09 PM > Subject: [Full-Disclosure] Cross-Site Scripting in Unparsable XML Files > (GM#013-IE) > > > > GreyMagic Security Advisory GM#013-IE > > ===================================== > > > > By GreyMagic Software, Israel. > > 17 Jun 2003. > > > > Available in HTML format at http://security.greymagic.com/adv/gm013-ie/. > > > > Topic: Cross-Site Scripting in Unparsable XML Files. > > > > Discovery date: 18 Feb 2003. > > > > Affected applications: > > ====================== > > > > Microsoft Internet Explorer 5.5 and 6.0. > > > > Note that any other application that uses Internet Explorer's engine > > (WebBrowser control) is affected as well (AOL Browser, MSN Explorer, > etc.). > > > > > > Introduction: > > ============= > > > > Internet Explorer automatically attempts to parse any XML file requested > > individually by the browser. When the parsing process is successful, a > > dynamic tree of the various XML elements is presented. However, when a > > parsing error occurs Internet Explorer displays the parse error along with > > the URL of the requested XML file. > > > > > > Discussion: > > =========== > > > > We have found that in some cases the displayed URL is not filtered > > appropriately, and may cause HTML that was passed in the querystring of > the > > URL to be rendered by the browser. This creates a classic cross-site > > scripting attack in almost any XML file that MSXML fails to read. > > Practically, this means that leaving XML files on your server that can't > be > > parsed correctly by Internet Explorer and MSXML is exposing the site to a > > global Cross-Site Scripting attack. > > > > We have been able to reproduce this problem in various setups, but we > > couldn't pinpoint the vulnerable component reliably enough. It is most > > likely an MSXML issue, and not a flaw in Internet Explorer itself. > > > > > > Exploit: > > ======== > > > > This sample shows the basic URL for injecting content: > > > > > http://host.with.unparsable.xml.file/flaw.xml?<script>alert(document.cookie) > > </script> > > > > > > Demonstration: > > ============== > > > > We put together a simple proof of concept demonstration, which can be > found > > at http://security.greymagic.com/adv/gm013-ie/. > > > > > > Solution: > > ========= > > > > Microsoft was notified on 20-Feb-2003. They reported that they were able > to > > reproduce this flaw on IE6 Gold, and no other version. Our research showed > > different, yet inconsistent results (see "Tested on" section for details). > > > > > > Tested on: > > ========== > > > > IE5.5 NT4. > > IE6 Win98. > > IE6 Win2000. > > > > > > Disclaimer: > > =========== > > > > The information in this advisory and any of its demonstrations is provided > > "as is" without warranty of any kind. > > > > GreyMagic Software is not liable for any direct or indirect damages caused > > as a result of using the information or demonstrations provided in any > part > > of this advisory. > > > > > > Feedback: > > ========= > > > > Please mail any questions or comments to security@greymagic.com. > > > > - Copyright © 2003 GreyMagic Software. > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >