Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17866
HistoryAug 22, 2007 - 12:00 a.m.

[Fwd: RE: XSS via IE MOTW feature. [sd]]

2007-08-2200:00:00
vulners.com
172

Hello MustLive / 3APA3A,

I read your Vulnerabilities digest reported to BT today. Last year I
noticed issue 3 during an assessment also. I've contacted MS during
that time (see below). They replied with:


Hi David

Thank you for submitting your email regarding XSS via IE MOTW feature.
We have reproduce the scenario you described in your email. While we
are looking to address this, the mitigating factors and the severity
of the bug is typically looked to be fixed in a Service Pack. It won't
get dropped but it does seem to be the most appropriate shipping
vehicle. Please let me know if you concur with this decision.

In the meantime here are some simple precautions you can take to
address this issue:

  1.  Do not click URLs provided by untrusted sources
    
  2.  Disable Active scripting
    

If you feel that I have misunderstood the issue as reported or if you
feel that you may have additional information which may change our
stance on this issue, please let us know as soon as possible.

We thank you again for bring this to our attention.

Kieron

However as you noticed it's still not fixed in IE6 & IE7 (save as HTML
page, which is not default).

Kind regards,

David Vaartjes

-------- Original Message --------
Subject: RE: XSS via IE MOTW feature. [sd]
Date: Mon, 11 Sep 2006 17:18:41 -0700
From: Microsoft Security Response Center <[email protected]>
To: David Vaartjes <[email protected]>
CC: Microsoft Security Response Center <[email protected]>

Hi David,

I am following up with the product team and will get back to you
shortly.

It is very likely this will be a Service Pack class issue, due to the
high degree of user interaction required.

Thanks
Scott D.

-----Original Message-----
From: David Vaartjes [mailto:[email protected]]
Sent: Wednesday, September 06, 2006 6:26 AM
To: Microsoft Security Response Center
Subject: Re: XSS via IE MOTW feature.

*** PGP SIGNATURE VERIFICATION***
*** Status: Unknown Signature
*** Signer: Unknown Key (0x6334D055)
*** Signed: 9/6/2006 6:26:13 AM
*** Verified: 9/6/2006 11:18:04 AM
*** BEGIN PGP DECRYPTED/VERIFIED MESSAGE***

Hello Scott,

I was wondering what the status of this issue is?

Greets,

Microsoft Security Response Center wrote:
> Hi David,
>
> Thanks for your email, having reviewed your submission I would agree
> this is a minor issue that requires a fair degree of user interaction
> to exploit.
>
> I will pass this onto the IE team for analysis, thanks for submitting
> this to us.
>
> Cheers
> Scott D.
>
> -----Original Message-----
> From: David Vaartjes [mailto:[email protected]]
> Sent: Sunday, August 06, 2006 12:12 PM
> To: Microsoft Security Response Center
> Subject: XSS via IE MOTW feature.
>
> >>> PGP SIGNATURE VERIFICATION ***
> >>> Status: Unknown Signature
> >>> Signer: Unknown Key (0x6334D055)
> >>> Signed: 8/6/2006 12:12:21 PM
> >>> Verified: 8/6/2006 1:23:38 PM
> >>> BEGIN PGP DECRYPTED/VERIFIED MESSAGE ***
>
> Hello,
>
> I noticed that when IE adds the Mark of the Web (MOTW) comment line to

> a saved webpage, HTML and / or scripting code present in the URL is
> not encoded. Although IMHO a minor issue, this can put your customers
> at risk when they are lured (via e-mail or malicious web page) to
> visit, save and load (saved version) a certain webpage.
>
> For example, the following webpage accepts a parameter (ie) that can
> be changed to an arbitrary value without changing the "looks" of the
> webpage:
>
> http://www.amazon.com/b/ref=gw_br_txb/103-5643130-2819801?ie=UTF8&amp;node
> =4
> 65600
>
>
> So when this URL is changed as follows, the target webpage looks the
> same as requested via the previous URL:
>
> http://www.amazon.com/b/ref=gw_br_txb/103-5643130-2819801?ie=UTF8--&gt;&lt;s
> cr
> ipt>alert("XSS")</script><!–&node=465600
>
>
> Next, when this webpage is saved, the first lines of the saved webpage
> read:
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <!-- saved from
> url=(0126)http://www.amazon.com/gp/browse.html/ref=gw_br_txb/104-50506
> 75 -6891914?ie=UTF8–><script>alert("XSS")</script><!–&node=465600
>
> –>
>
> This will result in XSS when the saved webpage is loaded.
>
> Tested with up to date XP SP2 IE 6.0.
>
> Please contact me if additional details are required.
>
> Kind regards,
> –
> Ing. David Vaartjes <mailto:[email protected]> Security Engineer
> -------------------------------------------------------------------
> ITsec Security Services B.V., Postbus 5120, 2000 GC HAARLEM
> Tel.+31-(0)235420578, Fax.+31-(0)235345477 http://www.itsec-ss.nl
> -------------------------------------------------------------------
> Exploit & Vulnerability Alerting Service http://evas.itsec-ss.nl
>
> -------------------------------------------------------------------
> ITsec Security Services B.V. may not be held liable for the effects or

> damages caused by the direct or indirect use of the information or
> functionality provided by this posting, nor the content contained
> within. Use them at your own risk.
> ITsec Security Services B.V. bears no responsibility for misuse of
> this posting or any derivatives thereof.
>
>
> >>> END PGP DECRYPTED/VERIFIED MESSAGE ***


Ing. David Vaartjes <mailto:[email protected]> Security Engineer

ITsec Security Services B.V., Postbus 5120, 2000 GC HAARLEM
Tel.+31-(0)235420578, Fax.+31-(0)235345477 http://www.itsec-ss.nl

Exploit & Vulnerability Alerting Service http://evas.itsec-ss.nl


ITsec Security Services B.V. may not be held liable for the effects or
damages caused by the direct or indirect use of the information or
functionality provided by this posting, nor the content contained
within. Use them at your own risk.
ITsec Security Services B.V. bears no responsibility for misuse of this
posting or any derivatives thereof.

*** END PGP DECRYPTED/VERIFIED MESSAGE***


Ing. David Vaartjes <mailto:[email protected]>
Security Engineer

ITsec Security Services B.V., Postbus 5120, 2000 GC HAARLEM
Tel.+31-(0)235420578, Fax.+31-(0)235345477, KvK. 34181927
http://www.itsec-ss.nl

Exploit & Vulnerability Alerting Service
http://evas.itsec-ss.nl

ITsec Security Services B.V. may not be held liable for the
effects or damages caused by the direct or indirect use of the
information or functionality provided by this posting, nor the
content contained within. Use them at your own risk.
ITsec Security Services B.V. bears no responsibility for misuse
of this posting or any derivatives thereof.