Re: [Full-Disclosure] Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML
From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: 02/28/05
- Previous message: Luigi Auriemma: "[Full-Disclosure] Server termination in Scrapland 1.0"
- In reply to: bitlance winter: "[Full-Disclosure] Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Feb 2005 21:29:08 +0300 To: "bitlance winter" <bitlance_3@hotmail.com>
Dear bitlance winter,
Using MHTML to bypass content filtering for scripting was at least
reported here by offtopic as well as few more tricks. You may want to
read this:
offtopic, 3APA3A. Bypassing client application protection techniques
http://www.security.nnov.ru/advisories/bypassing.asp
and this
3APA3A. Bypassing content filtering whitepaper
http://www.security.nnov.ru/advisories/content.asp
--Monday, February 28, 2005, 6:11:31 PM, you wrote to full-disclosure@lists.netsys.com:
bw> Hi, LIST.
bw> ========
bw> subject:
bw> ========
bw> Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate
bw> HTML Documents
bw> ========
bw> NOTE:
bw> ========
bw> This bug had been provided by an unknown person on his site.
bw> This bug is widely known in Japan since August, 2004.
bw> (These news was reported.)
bw> Now his site is closed.
bw> Some engineers prevented this bug. They are maintaining Web services.
bw> Wiki, Webmail, Blog, BBS, those might be dangerous.
bw> ========
bw> First:
bw> ========
bw> I want to show the following first. Please checkout using IE on XPSP2.
bw> The cat is here.
bw> http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg
bw> And the cat is a script kitty.
bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg
bw> You see? executing JavaScript? Ok.
bw> If you are using old IE or Windows, try this one.
bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg.mhtml
bw> Confirmed?
bw> ========
bw> Second:
bw> ========
bw> What is happen to us?
bw> Please checkout.
bw> http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt
bw> or same file,
bw> http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt
bw> This is a test messages which demonstrate of sending e-mail
bw> in HTML format according to RFC 2557.
bw> And check out please.
bw> mhtml:http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt
bw> or same file,
bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt
bw> ========
bw> Third:
bw> ========
bw> Then we can change Content-Transfer-Encoding:
bw> from '7bit' to 'quoted-printable'.
bw> Checkout please.
bw> http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt
bw> - ----- q2.txt ------
bw> Content-Type: text/html; charset=us-ascii
bw> Content-Transfer-Encoding: quoted-printable
bw> =3C!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"=3E
bw> =3CHTML=3E
bw> =3CHEAD=3E=3CTITLE=3ETest message no. 3=3C/TITLE=3E
bw> =3C/HEAD=3E
bw> =3CBODY=3E
bw> =3CH1=3EThis is test message no. 3=3C/H1=3E
bw> =3CH2=3EHere comes the red test image:=3C/H2=3E
bw> =3CIMG
bw> SRC=3D"http://www.dsv.su.se/jpalme/mimetest/red-test-image.gif"
bw> BORDER=3D0 HEIGHT=3D32 WIDTH=3D117
bw> ALT=3D"red test image"=3E
bw> =3CH2=3EHere comes the yellow test image:=3C/H2=3E
bw> =3CIMG
bw> SRC=3D"http://www.dsv.su.se/jpalme/mimetest/yellow-test-image.gif"
bw> BORDER=3D0 HEIGHT=3D32 WIDTH=3D152
bw> ALT=3D"yellow test image"=3E
bw> =3CP=3EThis is the last line of this test message.
bw> =3C/BODY=3E=3C/HTML=3E
bw> - ----- q2.txt ------
bw> Where is HTML TAG?
bw> Do you know how to sanitise?
bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt
bw> The malicious code would be inserted by a malicious user,
bw> on Blog, Wiki, BBS with fileuploader ,etc.
bw> JPEG file or Gif file are also poisoned.
bw> There is possible XSS issue on Windows XPSP2 IE6 via MHTML.
bw> ========
bw> Reference:
bw> ========
bw> Using HTML in E-mail
bw> http://www.dsv.su.se/jpalme/ietf/mhtml.html
bw> MIME Encapsulation of Aggregate HTML Documents (MHTML)
bw> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/_cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml_.asp
bw> RFC 2045 - Multipurpose Internet Mail Extensions (MIME) Part One: Format of
bw> Internet Message Bodies
bw> http://www.faqs.org/rfcs/rfc2045.html
bw> ===========
bw> Sorry my bad English.
bw> Best Regards.
bw> ===========
bw> --
bw> bitlance winter
bw> _________________________________________________________________
bw> Don’t just search. Find. Check out the new MSN Search!
bw> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
bw> _______________________________________________
bw> Full-Disclosure - We believe in it.
bw> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- ~/ZARAZA Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Luigi Auriemma: "[Full-Disclosure] Server termination in Scrapland 1.0"
- In reply to: bitlance winter: "[Full-Disclosure] Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
