ibmatom-xss.txt

`XSS using Atom feed in www.ibm.com  
  
Abstract:  
A XSS using Atom feed was in www.ibm.com (already fixed).  
This XSS technique appears only by IE6, not appears on IE7 and Firefox.  
  
Poc:  
http://www.ibm.com/fscripts/search/opensearch/search.fcgi/a.html?  
q=%2BADw-/title%2BAD4-%2BADw-script%2bAD4-alert(document.location)  
%2BADw-/script%2BAD4-&v=16&en=utf&lang=ja&cc=en&format=atom&startIndex=1  
  
When it accesses this URL over IE6, the script operates.  
  
Details:  
By adding the "format=atom" parameter, "Content-Type: application/atom+xml"  
is returned as a response header.  
  
Note that the charset is not given. This becomes the first step to the attack.  
  
Next, IE6 cannot understand "application/atom+xml" as Content-Type.  
This is the second step.  
  
The third step, the original search URL in ibm.com is following:  
http://www.ibm.com/fscripts/search/opensearch/search.fcgi?q=....  
Even if PATH_INFO is added as follows, it operates.  
http://www.ibm.com/fscripts/search/opensearch/search.fcgi/a.html?q=....  
And IE6 judges the file type to be HTML by adding PATH_INFO with  
Content-Type cannot judged.  
  
Therefore, IE6 interprets contents as a HTML encoded with UTF-7 and  
the script included in the parameter can be operated.  
  
Solution:  
Now, Charset is added to content-type in this CGI like  
as "Content-Type: application/atom+xml; charset=utf-8" and  
moreover, "%3c" in "q" parameter is encoded to "<".  
As a result, injecting the script by UTF-7 is impossible.  
  
There is another solution as follows.  
  
When Content-Type cannot be understood, IE6 starts deciding  
file type by the Content-Disposition header.  
Then, it can be prevented from being judged file type as HTML  
by PATH_INFO with adding Content-Disposition header such as:  
"Content-Disposition: inline; filename=a.xml"  
  
--   
HASEGAWA Yosuke  
[email protected]  
  
`