Vulners
Lucene search
Microsoft Internet Explorer 'toStaticHTML' HTML Sanitizing
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | Microsoft Internet Explorer toStaticHTML Cross-Site-Scripting (MS11-050; CVE-2011-1252) | 14 Jun 201100:00 | – | checkpoint_advisories |
| Preemptive Protection against Microsoft Internet Explorer SafeHTML Cross-Site Scripting (MS11-074) | 13 Sep 201100:00 | – | checkpoint_advisories |
 | CVE-2011-1252 | 16 Jun 201120:21 | – | cve |
 | CVE-2011-1252 | 16 Jun 201120:21 | – | cvelist |
 | MS11-074: Vulnerabilities in Microsoft SharePoint could allow elevation of privilege: September 13, 2011 | 13 Sep 201100:00 | – | mskb |
| MS11-050: Cumulative Security Update for Internet Explorer: June 14, 2011 | 14 Jun 201100:00 | – | mskb |
 | CVE-2011-1252 | 16 Jun 201120:55 | – | nvd |
 | Microsoft Internet Explorer Multiple Vulnerabilities (2530548) | 15 Jun 201100:00 | – | openvas |
| Microsoft SharePoint Multiple Privilege Escalation Vulnerabilities (2451858) | 14 Sep 201100:00 | – | openvas |
| Microsoft Internet Explorer Multiple Vulnerabilities (2530548) | 15 Jun 201100:00 | – | openvas |
10
Name: Microsoft Internet Explorer 'toStaticHTML' HTML Sanitizing Information \
Disclosure Vulnerability
Author: Adi Cohen of IBM Rational Application Security ([email protected])
Date: June 14, 2011
Risk: Medium
CVE: CVE-2011-1252
Introduction
-------------
The JavaScript function toStaticHTML, which is found in Internet Explorer 8 and \
Internet Explorer 9, is used to sanitize HTML fragments from dynamic and potentially \
malicious content. If an attacker can manage to pass malicious code through this \
function, s/he may be able to perform HTML injection based attacks (such as XSS).
Vulnerability
-------------
An attacker can create a specially formed CSS that after passing through the \
toStaticHTML function will contain an expression that will trigger a JavaScript call.
The following JavaScript code demonstrates the vulnerability:
<script>document.write(toStaticHTML("<style>div{color:rgb(0,0,0)&a=expression(alert(1) \
)}</style>Adi Cohen"))</script>
This code bypasses the filter engine by taking advantage of the following facts:
1. The filtering engine allows the string "expression(" to exist in "non-dangerous" \
locations within the CSS 2. The filtering engine changes special characters (such as \
& , < , >) to their HTML encoded equivalents (&amp; , &gt; , &lt;), which all end \
with a semicolon
An attacker can use the semi-colon of the HTML encoded characters to terminate a CSS \
sentence and start a new one without the filtering engine being aware of it, thereby \
breaking the state machine.
Impact
------
Any application that relies on the function toStaticHTML to sanitize user supplied \
data is probably vulnerable to XSS.
References
----------
http://www.securityfocus.com/bid/48199
http://support.avaya.com/css/P8/documents/100141412
http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Jul 2011 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.13434