Re: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])



On 10/2/06, Paul Szabo <psz@xxxxxxxxxxxxxxxxx> wrote:
This provides UXSS (Universal Cross-Site Scripting):

http://apache.svr/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/ZZZ...

(with a couple of hundred Zs) will do what we want. Works for https also:

https://apache.svr/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/ZZZ...

Can steal any Apache server (http or https) cookies. I do not have easy
access to ISS servers to test whether similar attacks would work there.

Will Apache fix (carefully escape) the error message? Will MS fix IE to
not be so over-friendly?

This should only be possible if neither the HTTP headers nor the HTML
page specifies the character set of the document. If the server
doesn't tell IE the character set, the autodetection "feature" will
kick in, and the site is vulnerable. I just tested Apache 1.3.37 and
Apache 2.2.3, and both specified a content-type header of "text/html;
charset=iso-8859-1" for 404 responses, so the attack failed. My
browser was IE 6.0.2800.1106.

I'm guessing that you tested a server wth some kind of customized 404
response that neglected to include a charset specification. That's
not a vulnerability in Apache, that is poor site configuration.

(I do wish that IE didn't have this character set autodetection
feature, or at least that it was restricted to commonly used character
sets that don't use strange encodings for HTML metacharacters.)

Regards,
Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: SSL Reverse Proxy
    ... is server A and B configured for https or http? ... If server A and B are configured to use http, then you could use Apache. ... >We already know the security implications of this approach. ...
    (Security-Basics)
  • Apache2 with SSL and multiple virtual host
    ... I am trying to set up Apache to work with SSL. ... My setup is the following, i have 3 domain that points to this server, let's ... Invalid method in request!g!! ... HTTPS scheme to access this URL, ...
    (RedHat)
  • Apaceh2 with SSL and multiple virtual host
    ... I am trying to set up Apache to work with SSL. ... The server started without any problem, but when I tried to use ... Invalid method in request!g!! ... HTTPS scheme to access this URL, ...
    (RedHat)
  • Re: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Servi
    ... Can steal any Apache server (http or https) cookies. ... Will Apache fix the error message? ... page specifies the character set of the document. ...
    (Bugtraq)
  • Re: RWW with no https
    ... Speaking about MS IIS as a web server, in HTTP, one can run multiple ... "host headers" and run all sites on the default port 80. ... to workstations, runs on port 4125, which is dynamically opened by the SBS ... HTTP why cant you do the same with HTTPS? ...
    (microsoft.public.windows.server.sbs)