Microsoft Internet Explorer 'toStaticHTML' HTML Sanitizing Information Disclosure
- From: adic@xxxxxxxxxx
- Date: Thu, 21 Jul 2011 07:14:34 GMT
Name: Microsoft Internet Explorer 'toStaticHTML' HTML Sanitizing Information Disclosure Vulnerability
Author: Adi Cohen of IBM Rational Application Security (adic@xxxxxxxxxx)
Date: June 14, 2011
If an attacker can manage to pass malicious code through this function, s/he may be able to perform HTML injection based attacks (such as XSS).
This code bypasses the filter engine by taking advantage of the following facts:
1. The filtering engine allows the string "expression(" to exist in "non-dangerous" locations within the CSS
2. The filtering engine changes special characters (such as & , < , >) to their HTML encoded equivalents (& , > , <), which all end with a semicolon
An attacker can use the semi-colon of the HTML encoded characters to terminate a CSS sentence and start a new one without the filtering engine being aware of it, thereby breaking the state machine.
Any application that relies on the function toStaticHTML to sanitize user supplied data is probably vulnerable to XSS.
- Prev by Date: Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability
- Next by Date: ZDI-11-238: Oracle Secure Backup validate_login Command Injection Remote Code Execution Vulnerability
- Previous by thread: Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability
- Next by thread: ZDI-11-238: Oracle Secure Backup validate_login Command Injection Remote Code Execution Vulnerability