Huh? How is this a XSS bug? How is the about: URL added to a Web page? Richard
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lorenzo Hernandez Garcia-Hierro Sent: Monday, August 11, 2003 1:13 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Microsoft Internet Explorer about:blank Cross Site Scripting Microsoft Internet Explorer about:blank Cross Site Scripting ------ PRODUCT: Internet Explorer VENDOR: Microsoft <www.microsoft.com> VULNERABLE VERSIONS: - 6.0.2600.x <- without SP1 - 5.0.x - 4.x - 3.x - And older versions possible affected too. NO VULNERABLE VERSIONS - ? --------------------- Description: Microsoft Internet Explorer is one of the best web browsers , used by millions of people around the world. It is not the most secure web browser but is easy to use , quickly and good looking design. --------------------------------------------- |SECURITY HOLES FOUND and PROOFS OF CONCEPT:| --------------------------------------------- I encountered a Cross Site Scripting vulnerability when you pass crafted about:blank pages. ----------------- | ABOUT:XSS ;-) | ----------------- When you pass a specially crafted url to the Internet Explorer about:blank url you can conduct a Cross Site Scripting Attack with a very simple technic : about:blank%20[ CROSS SITE SCRIPTING ATTACK] examples: about:blank%20<script>alert('8-D uhh !');</script> about:blank%20<iframe src="about:blank%20<h1>;- )"></iframe> about:blank%20<h1>XSS is behind you...</h1> With this you can get ( steal ) cookies from the victim's browser and perform another attacks against the victim system. ----------------- | IMPORTANT | | NOTES | ----------------- 1.- The SP1 for MS Internet Explorer contains XSS protection for url objects and you can't run this. 2.- This vulnerability is not related with the hole called about:// urls vulnerability . 3.- This vulnerability only concerns the about:blank url . ----------- | CONTACT | ----------- Lorenzo Hernandez Garcia-Hierro --- Computer Security Analyzer --- --Nova Projects Professional Coding-- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ********************************** www.novappc.com security.novappc.com www.lorenzohgh.com ______________________ NSRG-20-7 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html