[NT] Cross-Site Scripting in Unparsable XML Files

From: SecuriTeam (support_at_securiteam.com)
Date: 06/19/03

  • Next message: SecuriTeam: "[NT] Script Injection to Custom HTTP Errors in Local Zone" 
    To: list@securiteam.com
Date: 19 Jun 2003 19:23:01 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security in Canada

    Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
    We welcome ISPs, system integrators and IT systems resellers
    to promote the most advanced vulnerability assessment solutions today.

    Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

    - - - - - - - - -

      Cross-Site Scripting in Unparsable XML Files
    ------------------------------------------------------------------------

    SUMMARY

    Internet Explorer automatically attempts to parse any XML file requested
    individually by the browser. When the parsing process is successful, a
    dynamic tree of the various XML elements is presented. However, when a
    parsing error occurs Internet Explorer displays the parse error along with
    the URL of the requested XML file.

    DETAILS

    Vulnerable systems:
     * Microsoft Internet Explorer 5.5 and 6.0

    Note that any other application that uses Internet Explorer's engine
    (WebBrowser control) is affected as well (AOL Browser, MSN Explorer,
    etc.).

    Immune systems:
     * Microsoft Internet Explorer 6.0 with the latest SPs and HotFixes

    GreyMagic have found that in some cases the displayed URL is not filtered
    appropriately, and may cause HTML that was passed in the query string of
    the URL to be rendered by the browser. This creates a classic cross-site
    scripting attack in almost any XML file that MSXML fails to read.
    Practically, this means that leaving XML files on your server that can't
    be parsed correctly by Internet Explorer and MSXML is exposing the site to
    a global Cross-Site Scripting attack.
    We have been able to reproduce this problem in various setups, but we
    couldn't pinpoint the vulnerable component reliably enough. It is most
    likely an MSXML issue, and not a flaw in Internet Explorer itself.

    Exploit:
    This sample shows the basic URL for injecting content:
    http://host.with.unparsable.xml.file/flaw.xml?<
    script>alert(document.cookie)</script>

    Demonstration:
    Try this alert(location.href)</script>">URL, if a popup appears, you are
    vulnerable.

    Solution:
    Microsoft was notified on 20-Feb-2003. They reported that they were able
    to reproduce this flaw on IE6 Gold, and no other version. GreyMagic's
    research showed different, yet inconsistent results.

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
     <http://security.greymagic.com/adv/gm013-ie/>
    http://security.greymagic.com/adv/gm013-ie/

    The information has been provided by <mailto:security@greymagic.com>
    GreyMagic Software.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Script Injection to Custom HTTP Errors in Local Zone"

    Relevant Pages