[Full-Disclosure] Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML

From: bitlance winter (bitlance_3_at_hotmail.com)
Date: 02/28/05

  • Next message: William Waisse: "Re: [Full-Disclosure] Xfree86 video buffering?" 
    To: full-disclosure@lists.netsys.com
Date: Mon, 28 Feb 2005 15:11:31 +0000

    Hi, LIST.

    ========
    subject:
    ========
    Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate
    HTML Documents

    ========
    NOTE:
    ========
    This bug had been provided by an unknown person on his site.
    This bug is widely known in Japan since August, 2004.
    (These news was reported.)
    Now his site is closed.
    Some engineers prevented this bug. They are maintaining Web services.
    Wiki, Webmail, Blog, BBS, those might be dangerous.

    ========
    First:
    ========

    I want to show the following first. Please checkout using IE on XPSP2.

    The cat is here.
    http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg

    And the cat is a script kitty.
    mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg

    You see? executing JavaScript? Ok.
    If you are using old IE or Windows, try this one.
    mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg.mhtml

    Confirmed?

    ========
    Second:
    ========

    What is happen to us?
    Please checkout.
    http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt
    or same file,
    http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt

    This is a test messages which demonstrate of sending e-mail
    in HTML format according to RFC 2557.

    And check out please.
    mhtml:http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt
    or same file,
    mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt

    ========
    Third:
    ========

    Then we can change Content-Transfer-Encoding:
    from '7bit' to 'quoted-printable'.
    Checkout please.
    http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt

    - ----- q2.txt ------
    Content-Type: text/html; charset=us-ascii
    Content-Transfer-Encoding: quoted-printable

    =3C!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"=3E
    =3CHTML=3E
    =3CHEAD=3E=3CTITLE=3ETest message no. 3=3C/TITLE=3E
    =3C/HEAD=3E
    =3CBODY=3E
    =3CH1=3EThis is test message no. 3=3C/H1=3E

    =3CH2=3EHere comes the red test image:=3C/H2=3E
    =3CIMG SRC=3D"http://www.dsv.su.se/jpalme/mimetest/red-test-image.gif"
    BORDER=3D0 HEIGHT=3D32 WIDTH=3D117
    ALT=3D"red test image"=3E

    =3CH2=3EHere comes the yellow test image:=3C/H2=3E
    =3CIMG SRC=3D"http://www.dsv.su.se/jpalme/mimetest/yellow-test-image.gif"
    BORDER=3D0 HEIGHT=3D32 WIDTH=3D152
    ALT=3D"yellow test image"=3E

    =3CP=3EThis is the last line of this test message.
    =3C/BODY=3E=3C/HTML=3E
    - ----- q2.txt ------

    Where is HTML TAG?
    Do you know how to sanitise?
    mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt

    The malicious code would be inserted by a malicious user,
    on Blog, Wiki, BBS with fileuploader ,etc.
    JPEG file or Gif file are also poisoned.

    There is possible XSS issue on Windows XPSP2 IE6 via MHTML.

    ========
    Reference:
    ========

    Using HTML in E-mail
    http://www.dsv.su.se/jpalme/ietf/mhtml.html

    MIME Encapsulation of Aggregate HTML Documents (MHTML)
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/_cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml_.asp

    RFC 2045 - Multipurpose Internet Mail Extensions (MIME) Part One: Format of
    Internet Message Bodies
    http://www.faqs.org/rfcs/rfc2045.html

    ===========

    Sorry my bad English.
    Best Regards.

    =========== 

    --
bitlance winter
_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: William Waisse: "Re: [Full-Disclosure] Xfree86 video buffering?"

    Relevant Pages

    • Re: ASP.NET Internationalization bug?
      ... The Microsoft team has confirmed the bug. ... For every programming team that works like you do, ... I don't see too clearly the purpose of declaring a single language ... appropriate as HTML and XHTML standards. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: ASP.NET Internationalization bug?
      ... What you have been saying all along is that code-behind is "better". ... For every programming team that works like you do, ... I'll be looking forward to the response which your bug filing prompts from the VS Team. ... I have already found, first-hand, that the better of the major search engines use the cc TLD *and* the HTML ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: ASP.NET Internationalization bug?
      ... The Microsoft team has confirmed the bug. ... For every programming team that works like you do, ... My use of language and culture in ASP.Net is a bit different than most. ... I have already found, first-hand, that the better of the major search engines use the cc TLD *and* the HTML ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: ASP.NET Internationalization bug?
      ... The Microsoft team has confirmed the bug. ... For every programming team that works like you do, ... I don't see too clearly the purpose of declaring a single ... which is not as appropriate as HTML and XHTML ...
      (microsoft.public.dotnet.framework.aspnet)
    • CTAN package upgrade: gellmu, version 0.8.2
      ... small improvements as well as bug fixes. ... provides a way to write in an XML document type of one's choice using ... classical HTML (suitable for terminal ... Tables and Tabular now have functioning p cells. ...
      (comp.text.tex)