Microsoft Internet Explorer 8 IMG Tag Hijacking

Type packetstorm
Reporter Vladimir Vorontsov
Modified 2010-04-23T00:00:00


                                            `Hello Full disclosure!  
Once again, unwinding theme HiJacking found a fun way to get the very  
least information about the target resource when the user is located at the  
Already crocked <img> tag opens new opportunities using the method  
fileSize, described here:  
(v = VS.85). Aspx   
Consider a simple example - a Web application after authentication  
provides some sort of picture for the user, for example:   
The attacker, knowing this can create a page to read:   
<img id="onsec" src="">   
<input type="button" onclick="if (onsec.fileSize> 0) (alert ('authorized  
on') else (alert ('not authorized on')}">   
Thus, the attacker learns the simplest case, whether the target user  
access to   
Continuing the theme, I want to note that in some cases, can obtain  
additional information from the very values of the size of the picture. It  
can be any logical information Web applications, say, the same script can  
show administrators a picture of the same size, and users - of another.  
Thus, we obtain the user rights. And so on.   
I'd like to return the size of the method is not only "valid" images, but  
also HTML pages, JSON, etc. But, unfortunately, does not work. Maybe, of  
course, there are exceptions, call to investigate the matter.   
I have some thoughts on the study of vector images in XML format, because  
HTML is often valid XML, and then ...   
Check for the test version IE9, but he did not support SVG inside tag  
<img>, but only as a separate tag.   
Works in IE8, in Opera 10.52 does not work on check writing, if not  
Original at russian language:  
Best regards,   
Vladimir Vorontsov  
ONsec security expert