Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is this horrifying XSS vector still an issue in Internet Explorer?

From hi.baidu.com/monyer/blog/item/d0f5d8b48fc442758bd4b2a4.html

Char 192 is <font face="xyz[0xC0]">not </font><font face=" onmouseover=alert(192) s=[0xC0]" >available</font>

0xC0 is one of the 32 first bytes of 2-byte sequences (0xC0-0xDF) in UTF-8. So when IE parses the above code, it will consider 0xC0 and the following quote as a sequence, and therefore these two pairs of FONT elements will become one with "xyz[0xC0]">not </font><font face=" as the value of FACE parameter. The second 0xC0 will start another 2-byte sequence as a value of NOTEXIST parameter which is not quoted. Due to a space character following by the quote, 0xE0-0xEF which are first bytes of 3-byte sequences, together with the following quote and one space character will be considered as the value of NOTEXIST parameter.

Essentially, certain bytes indicate the start of a 3-byte character in a UTF-8 string. If those bytes make their way onto a webpage, IE will eat up the next two bytes even if the resulting three bytes don't make up a valid UTF-8 character. This can cause IE to eat up ending quotes in HTML attributes, wreaking XSS-flavored havoc.

The article is about IE6, so I have two tightly-coupled questions:

  1. Is this still an issue in later versions of IE?
  2. If so, is there a purely client-side method of avoiding it? In other words, assuming a "poisoned" string is received from the server, is there anything that can be done client-side to prevent this vulnerability?
like image 316
ClosureCowboy Avatar asked May 08 '11 15:05

ClosureCowboy


1 Answers

If I understand the vulnerability correctly, it was addressed in 2006 in Microsoft Security Bulletin MS06-021.

A remote code execution vulnerability exists in the way Internet Explorer decodes specially crafted UTF-8 encoded HTML. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited the specially crafted Web site.

like image 118
Ben Fulton Avatar answered Oct 19 '22 20:10

Ben Fulton