Reporter Yosuke HASEGAWA
`XSS using Atom feed in www.ibm.com
A XSS using Atom feed was in www.ibm.com (already fixed).
This XSS technique appears only by IE6, not appears on IE7 and Firefox.
When it accesses this URL over IE6, the script operates.
By adding the "format=atom" parameter, "Content-Type: application/atom+xml"
is returned as a response header.
Note that the charset is not given. This becomes the first step to the attack.
Next, IE6 cannot understand "application/atom+xml" as Content-Type.
This is the second step.
The third step, the original search URL in ibm.com is following:
Even if PATH_INFO is added as follows, it operates.
And IE6 judges the file type to be HTML by adding PATH_INFO with
Content-Type cannot judged.
Therefore, IE6 interprets contents as a HTML encoded with UTF-7 and
the script included in the parameter can be operated.
Now, Charset is added to content-type in this CGI like
as "Content-Type: application/atom+xml; charset=utf-8" and
moreover, "%3c" in "q" parameter is encoded to "<".
As a result, injecting the script by UTF-7 is impossible.
There is another solution as follows.
When Content-Type cannot be understood, IE6 starts deciding
file type by the Content-Disposition header.
Then, it can be prevented from being judged file type as HTML
by PATH_INFO with adding Content-Disposition header such as:
"Content-Disposition: inline; filename=a.xml"