Network Security: Detailed info on Re: [Full-Disclosure] Possible XSS issue on Windows XPSP2 IE6 via MIME E

Subject:	Re: [Full-Disclosure] Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML
Date:	Mon, 28 Feb 2005 21:29:08 +0300

Dear bitlance winter,

Using  MHTML  to  bypass  content  filtering  for scripting was at least
reported  here  by  offtopic as well as few more tricks. You may want to
read this:

offtopic, 3APA3A. Bypassing client application protection techniques
http://www.security.nnov.ru/advisories/bypassing.asp

and this

3APA3A. Bypassing content filtering whitepaper
http://www.security.nnov.ru/advisories/content.asp

--Monday, February 28, 2005, 6:11:31 PM, you wrote to 
full-disclosure@lists.netsys.com:

bw> Hi, LIST.

bw> ========
bw> subject:
bw> ========
bw> Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate
bw> HTML Documents

bw> ========
bw> NOTE:
bw> ========
bw> This bug had been provided by an unknown person on his site.
bw> This bug is widely known in Japan since August, 2004.
bw> (These news was reported.)
bw> Now his site is closed.
bw> Some engineers prevented this bug. They are maintaining Web services.
bw> Wiki, Webmail, Blog, BBS, those might be dangerous.

bw> ========
bw> First:
bw> ========

bw> I want to show the following first. Please checkout using IE on XPSP2.

bw> The cat is here.
bw> http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg

bw> And the cat is a script kitty.
bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg

bw> You see? executing JavaScript? Ok.
bw> If you are using old IE or Windows, try this one.
bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg.mhtml

bw> Confirmed?

bw> ========
bw> Second:
bw> ========

bw> What is happen to us?
bw> Please checkout.
bw> http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt
bw> or same file,
bw> http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt

bw> This is a test messages which demonstrate of sending e-mail
bw> in HTML format according to RFC 2557.

bw> And check out please.
bw> mhtml:http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt
bw> or same file,
bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt


bw> ========
bw> Third:
bw> ========

bw> Then we can change Content-Transfer-Encoding:
bw> from '7bit' to 'quoted-printable'.
bw> Checkout please.
bw> http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt


bw> - ----- q2.txt ------
bw> Content-Type: text/html; charset=us-ascii
bw> Content-Transfer-Encoding: quoted-printable

bw> =3C!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"=3E
bw> =3CHTML=3E
bw> =3CHEAD=3E=3CTITLE=3ETest message no. 3=3C/TITLE=3E
bw> =3C/HEAD=3E
bw> =3CBODY=3E
bw> =3CH1=3EThis is test message no. 3=3C/H1=3E

bw> =3CH2=3EHere comes the red test image:=3C/H2=3E
bw> =3CIMG
bw> SRC=3D"http://www.dsv.su.se/jpalme/mimetest/red-test-image.gif";
bw> BORDER=3D0 HEIGHT=3D32 WIDTH=3D117
bw> ALT=3D"red test image"=3E

bw> =3CH2=3EHere comes the yellow test image:=3C/H2=3E
bw> =3CIMG
bw> SRC=3D"http://www.dsv.su.se/jpalme/mimetest/yellow-test-image.gif";
bw> BORDER=3D0 HEIGHT=3D32 WIDTH=3D152
bw> ALT=3D"yellow test image"=3E

bw> =3CP=3EThis is the last line of this test message.
bw> =3C/BODY=3E=3C/HTML=3E
bw> - ----- q2.txt ------

bw> Where is HTML TAG?
bw> Do you know how to sanitise?
bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt

bw> The malicious code would be inserted by a malicious user,
bw> on Blog, Wiki, BBS with fileuploader ,etc.
bw> JPEG file or Gif file are also poisoned.

bw> There is possible XSS issue on Windows XPSP2 IE6 via MHTML.

bw> ========
bw> Reference:
bw> ========

bw> Using HTML in E-mail
bw> http://www.dsv.su.se/jpalme/ietf/mhtml.html

bw> MIME Encapsulation of Aggregate HTML Documents (MHTML)
bw> 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/_cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml_.asp

bw> RFC 2045 - Multipurpose Internet Mail Extensions (MIME) Part One: Format of
bw> Internet Message Bodies
bw> http://www.faqs.org/rfcs/rfc2045.html

bw> ===========

bw> Sorry my bad English.
bw> Best Regards.

bw> ===========
bw> --
bw> bitlance winter

bw> _________________________________________________________________
bw> Don’t just search. Find. Check out the new MSN Search! 
bw> http://search.msn.click-url.com/go/onm00200636ave/direct/01/

bw> _______________________________________________
bw> Full-Disclosure - We believe in it.
bw> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
~/ZARAZA
Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

<Prev in Thread]	Current Thread	[Next in Thread>
[Full-Disclosure] Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML, bitlance winter Re: [Full-Disclosure] Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML, 3APA3A <=

Previous by Date:	[VulnDiscuss] Re: [Full-Disclosure] [HAT-SQUAD] BadBlue, Easy P2P File Sharing Remote Exploit (update), class 101
Next by Date:	[Full-Disclosure] [ GLSA 200502-33 ] MediaWiki: Multiple vulnerabilities, Thierry Carrez
Previous by Thread:	[Full-Disclosure] Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML, bitlance winter
Next by Thread:	[Full-Disclosure] iDEFENSE Security Advisory 02.28.05: Mozilla Firefox and Mozilla Browser Out Of Memory Heap Corruption Design Error, idlabs-advisories
Indexes:	[Date] [Thread] [Top] [All Lists]