Re: [Full-disclosure] Internet Explorer 6 Meta Refresh Parsing Weakness

tuytumadre_at_att.net
Date: 08/18/05

  • Next message: KF (lists): "[Full-disclosure] Bluez hcid popen() explained." 
    To: Moritz Naumann <info@moritz-naumann.com>, Full Disclosure <full-disclosure@lists.grok.org.uk>, bugtraq@securityfocus.com
Date: Thu, 18 Aug 2005 02:48:56 +0000

    Why should Microsoft be accountable for the mistakes of webmasters? Have you even tested any of ther other browsers? Even if you have, a webmaster should indeed be responsible for blindly redirecting a user to a url supplied in input. This isn't an Internet Explorer mistake - it is a webmaster mistake, and quite a silly one at that.

    Btw, if this message appears in your mailboxes twice, it's because I sent it twice (the first time I received a DNS failure message).

    Regards,
    Paul
    Greyhats Security
    http://greyhatsecurity.org

    -------------- Original message from Moritz Naumann <info@moritz-naumann.com>: --------------

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    >
    >
    > SA0001
    >
    > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    > +++++ Internet Explorer 6 Meta Refresh Parsing Weakness +++++
    > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    >
    >
    > PUBLISHED ON
    > Aug 17, 2005
    >
    >
    > PUBLISHED AT
    > http://moritz-naumann.com/adv/0001/ie6meta/0001.txt
    >
    >
    > PUBLISHED BY
    > Moritz Naumann IT Consulting & Services
    > Hamburg/Germany
    > http://moritz-naumann.com/
    >
    > info AT moritz HYPHON naumann D0T com
    > GPG key: http://moritz-naumann.com/keys/0x277F060C.asc
    >
    >
    > AFFECTED PRODUCT OR SERVICE
    > Microsoft Internet Explorer
    > http://www.microsoft.com/windows/ie/
    >
    >
    > AFFECTED VERSION
    > Version 6 up to release 6.0.2900.2180 (SP2 + all patches)
    > Possibly versions < 6.0 (untested)
    >
    >
    > BACKGROUND
    > While the format of
    > META http-equiv="refresh"
    > and
    > META name="refresh"
    > type HTML headers was never exactly defined by they W3C, web
    > browsers have been interpreting this instruction since early
    > releases. Web application developers got used to the clients'
    > behaviour and using this tag to initiate URL redirections
    > became common.
    >
    > As most web browsers, Internet Explorer 6 interprets this tag,
    > too. However, in contrary to other web browsers, IE6's HTML
    > parser uses a pretty loose rule set which facilitates
    > injection of malicious code into it when browsing web
    > applications which insufficiently sanitize user supplied
    > input.
    >
    > For example, a web application may use the following PHP code
    > (redirect.php) to redirect a web browser to a different URL:
    >
    >
    > > $goto = $_GET["goto"]; // Input sanitization omitted
    > $meta1 = '';
    > echo $meta.$goto;
    > ?>
    >
    >
    >
    > Assuming this script is hosted in the web root on example.org,
    > the following HTML code would be returned on a request to
    > http://example.org/redirect.php?goto=localhost :
    >
    >
    >
    >
    >
    >
    > Obviously, a web application developer must make sure that no
    > malicious code can be injected along the 'goto' parameter passed
    > via the HTTP GET method. A common method to sanitize user input
    > would be to hardcode the protocol part of the URL ('http://')
    > contained in 'goto', and to URL-encode any double quotes. This
    > would assumely make it difficult to inject any malicious client
    > side code.
    >
    >
    > ISSUE
    > Unlickily, and in contrary to other web browsers, Internet
    > Explorer 6 allows multiple 'URL=' parts in the 'content'
    > attribute and will only interpret the last value given.
    > Resulting from this, it is still possible to inject code into a
    > web application using the input sanitization described above
    > which will be executed when using Internet Explorer 6.
    >
    > For example, Internet Explorer 6 will interpret the following
    > statement:
    >
    > URL parameter:
    > goto=;URL=javascript:alert('XSS');
    > Resulting META tag:
    > content="0; URL=http://;URL=javascript:alert('XSS');">
    > Resulting behaviour:
    > Displays Javascript alert with text 'XSS'
    >
    > Making use of Internet Explorers loose parsing, a code such as
    > this value of the 'goto' URL parameter will work, too:
    >
    > %20%20%20%20%20;UrL=jaVAscRIpt:alert('XSS');
    >
    > will work, too. As any of ';', 'UrL', '=', 'jaVAscRIpt' and ':'
    > may be legal content passed to the traget web site (think of a
    > search term passed to a search engine), sanitizing this is not
    > too easy.
    >
    > As the expected behaviour would be that a web browser would
    > either return an error message for incorrect syntax or would
    > attempt to interpret anything after the first 'URL=' part as the
    > target URL, Internet Explorer behaves in a pretty uncommon way. A
    > fix on the user agent side would be the best solution for this
    > issue.
    >
    >
    > WORKAROUND
    > Client: Disable META REFRESH in Security Settings for the Internet
    > Zone.
    > Server: Perform thorough sanitization on your web applications.
    >
    >
    > SOLUTIONS
    > Microsoft will not provide a patch.
    >
    >
    > TIMELINE
    > Aug 04, 2005: Vendor informed
    > Aug 04, 2005: First vendor reply
    > Aug 17, 2005: Vendor finishes investigation, declares itself
    > unaccountabile
    >
    >
    > CREDIT
    > N/A
    >
    >
    > LICENSE
    > Creative Commons Attribution-ShareAlike License Germany
    > http://creativecommons.org/licenses/by-sa/2.0/de/
    >
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.1 (GNU/Linux)
    >
    > iD8DBQFDA6WGn6GkvSd/BgwRAnIRAJ9sK7ub/JwoBwNQjtC8j4QxiVl3kwCfUNqi
    > o+WaJkCQ9LUzdLtNwdBungg=
    > =lNVL
    > -----END PGP SIGNATURE-----
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: KF (lists): "[Full-disclosure] Bluez hcid popen() explained."

    Relevant Pages