Products::Security::Contact

• Security
  • News
  • Vulnerabilities
    • Internet Explorer
    • Opera
    • Other
    • Mozilla Firefox
  • Online Tools
    • Script Decoder
  • Subscribe
• Products
  • Composica Enterprise
• Contact

GreyMagic Security Advisory GM#013-IE

By GreyMagic Software, Israel.
17 Jun 2003.

Topic: Cross-Site Scripting in Unparsable XML Files.

Discovery date: 18 Feb 2003.

Affected applications:

Microsoft Internet Explorer 5.5 and 6.0.

Note that any other application that uses Internet Explorer's engine (WebBrowser control) is affected as well (AOL Browser, MSN Explorer, etc.).

Introduction:

Internet Explorer automatically attempts to parse any XML file requested individually by the browser. When the parsing process is successful, a dynamic tree of the various XML elements is presented. However, when a parsing error occurs Internet Explorer displays the parse error along with the URL of the requested XML file.

Discussion:

We have found that in some cases the displayed URL is not filtered appropriately, and may cause HTML that was passed in the querystring of the URL to be rendered by the browser. This creates a classic cross-site scripting attack in almost any XML file that MSXML fails to read. Practically, this means that leaving XML files on your server that can't be parsed correctly by Internet Explorer and MSXML is exposing the site to a global Cross-Site Scripting attack.

We have been able to reproduce this problem in various setups, but we couldn't pinpoint the vulnerable component reliably enough. It is most likely an MSXML issue, and not a flaw in Internet Explorer itself.

Exploit:

This sample shows the basic URL for injecting content:

http://host.with.unparsable.xml.file/flaw.xml?<script>alert(document.cookie)</script>

Demonstration:

Try this URL, if a popup appears, you are vulnerable.

Solution:

Microsoft was notified on 20-Feb-2003. They reported that they were able to reproduce this flaw on IE6 Gold, and no other version. Our research showed different, yet inconsistent results (see "Tested on" section for details).

Tested on:

IE5.5 NT4.
IE6 Win98.
IE6 Win2000.

Disclaimer:

The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.

Vulnerability details are provided strictly for educational and defensive purposes.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.

Stay informed:

Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.

Press here to subscribe.

Your privacy is important to us, read our Privacy Statement.

Copyright © 2008 GreyMagic Software