Here are some comments on the MSIE custom HTTP errors script injection vulnerability posted by GreyMagic back on June 17th: I had been playing with the custom HTTP errors as well, it's some two years ago, but it still works pretty much the same. Here is my version of the URL I figured out that time. It is similar to that of GreyMagic, but mine does not show the JavaScript source in the text of the page and allows you insert any innocent looking arbitrary text instead. It makes use of the //-style comments instead of /**/ comments to protect that text from being interpreted: res://shdoclc.dll/http_404.htm#javascript:alert(location.href);//://clickme/ Because of the "security precaution" that Microsoft implemented you are not allowed to use the often essential apostrophe as a part of the injected code. Fortunately, there is this nice work around: res://shdoclc.dll/http_404.htm#javascript:alert(String.fromCharCode(72,101,1 08,108,111));//://clickme/ And if you must use some of the other forbidden characters or character combinations that would break the consistence of the specially crafted URL, feel free to enclose all the commands in one big eval(String.fromCharCode()) and get rid of the problems. You can force the user click on the link by selecting a proper text for it and displaying the error message in an IFRAME of proper dimensions, clipping, etc., which should make the link look unrecognizable from the other links on the page. Regards, Marek Blahus <security@blahus.cz>
