Subscribe to RSS feed

splitbrain.org - electronic brain surgery since 2001

WeblogLinkblogProjectsWebsitesPersonalShop

MSIE facilitates Cross Site Scripting

IE Crossite Scripting Chris Smith and me were investigating a strange Internet Explorer related problem in the last two days and it looks like IE has a flaw that makes cross site scripting on many sites possible.

The initial problem were spammers using open wikis to upload text files containing spammy HTML. At first we didn't understand why they would do that, as .txt files are served with a text/plain mime type and thus shouldn't be rendered by any browser. Well, we soon found that this is true for every browser, except for the Internet Explorer.

You probably know that on the web each served document or file is accompanied by a Content-Type header which tells the browser what type of data it is receiving. The browser then is supposed to use this info to decide what to do with the data, eg. rendering the HTML, downloading the file or give the data to a plugin.

So if a browser does not get a mime type registered for rendering HTML (usually text/html) it should not render it as HTML.

Well, Microsoft thought different and implemented something they call MIME Type Detection. It means they use the first few hundred bytes of the data and try to guess what the content is. This is a nice idea and even mentioned in RFC 2616:

If and only if the media type is not given by a Content-Type field, the recipient MAY attempt to guess the media type via inspection of its content […]

Unfortunately Microsoft got the order somehow tangled up: They ignore the sent type and do their guessing first. This of course violates the RFC, but is a well known fact: Phil Ringnalda wrote about it in 2004.

So how does that facilitate Cross Site Scripting? IE treats nearly everything1) as HTML that contains some tags in the first few hundred bytes. This includes the <script> tag.

Many web applications won't let you upload HMTL or JavaScript files to prevent XSS. But images or PDF documents for example aren't considered harmful and are often allowed. Yet I was able to construct such files with script code embedded which is executed by Internet Explorer.

IE executing Script code from a PNG comment Don't believe it? Here is a link to a 1x1 pixel white PNG image. Open it in Firefox or any other decent browser. It will be displayed fine. IE will treat it as HTML because it contains a script tag in the image comment. Note that this is a perfectly valid PNG image which I created in Gimp.

The next test object is a modified, simple "Hello World" PDF file. The Acrobat reader displays it fine2). Following the link in IE will execute the JavaScript.

So what does this mean? Wherever you allow upload of “harmless” files you might open a XSS vulnerability which could lead to IE user accounts compromised.

The solution? Hell, I don't know. We're still wondering about what we should do in DokuWiki about this. For now I recommend not allowing anonymous upload of any files.

PS: I tested the above files with MSIE 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 on Windows XP. From different tests yesterday I know for sure that the same mime type guessing is still used in IE7. If the specific flaws shown above still exist I cannot say, but I guess so.

Tags:
msie,
xss,
security
Similar posts:
1) ironically it depends on the initially sent mime type, only if it matches one of the 26 very common types known by the FindMimeFromData function, the guessing will overrule the type
2) though I can not guarantee this is a valid PDF, it was just a quick try without a look at the PDF specs
Posted on Monday, February the 12th 2007 (3 years ago).

Comments?

1
Confirming that the examples above also can be used with IE 7.0.5730.11 in WinXP SP2.
2007-02-13 08:46:18
David Lorentsen
2
Great work guys - good research well explained! Looking forward to public reaction.
2007-02-14 12:25:54
Gregor Strasser
3
Amazing, and so dangerous ! I've tested these things a came up with a test suite to understand better IE's behaviour. Here is my PHP code. I may have an idea to solve the issue. I will try it and if it's worth, give feedback.

<?php

$tags = array('a','abbr','acronym','address','applet','area','b','base','basefont','bdo','big','blockquote','body','br','button','caption','center','cite','code','col','colgroup','dd','del','dfn','dir','div','dl','dt','em','fieldset','font','form','frame','frameset','h1','h2','h3','h4','h5','h6','head','hr','html','i','iframe','img','input','ins','isindex','kbd','label','legend','li','link','map','menu','meta','noframes','noscript','object','ol','optgroup','option','p','param','pre','q','s','samp','script','select','small','span','strike','strong','style','sub','sup','table','tbody','td','textarea','tfoot','th','thead','title','tr','tt','u','ul','var','xml','!DOCTYPE');

if (isset($_GET['tag']) && in_array($_GET['tag'], $tags))
{
   header('Content-Type: image/png');

   echo urldecode('%89PNG%0D%0A%1A%0A'), // Fake a PNG beginning
       '<', $_GET['tag'], // Fake a start tag
       '*'; // If empty, IE don't detect any tag
}
else
{
   foreach ($tags as $tag)
   {
       echo '<iframe src="test.php?tag=', $tag, '" width="50" height="20" marginwidth="0" marginheight="0" scrolling="no"></iframe>';
   }
}
2007-02-23 09:04:32
Nicolas Grekas
4
Here is an updated test script (tags added and smarter display)
Just put it in a file nammed test.php, and run it with IE :

<?php

$tags = array('a','abbr','acronym','address','applet','area','audioscope','b','base','basefont','bdo','bgsound','big','blackface','blink','blockquote','body','bq','br','button','caption','center','cite','code','col','colgroup','comment','custom','dd','del','dfn','dir','div','dl','dt','em','embed','fieldset','fn','font','form','frame','frameset','h1','h2','h3','h4','h5','h6','head','hr','html','i','iframe','ilayer','img','input','ins','isindex','keygen','kbd','label','layer','legend','li','limittext','link','listing','map','marquee','menu','meta','multicol','nobr','noembed','noframes','noscript','nosmartquotes','object','ol','optgroup','option','p','param','plaintext','pre','q','rt','ruby','s','samp','script','select','server','shadow','sidebar','small','spacer','span','strike','strong','style','sub','sup','table','tbody','td','textarea','tfoot','th','thead','title','tr','tt','u','ul','var','wbr','xml','xmp','!DOCTYPE', '!--');

if (isset($_GET['tag']) && in_array($_GET['tag'], $tags))
{
   header('Content-Type: text/plain');

   echo str_repeat(' ', 10), // Some white space
       '<', $_GET['tag'], // Fake a start tag
       '&gt;'; // Random string. If empty, IE won't detect any tag
}
else
{
   foreach ($tags as $tag)
   {
       echo '<iframe src="test.php?tag=', urlencode($tag), '" width="50" height="50" marginwidth="0" marginheight="0" scrolling="no"></iframe>';
   }
}
2007-02-23 10:21:35
Nicolas Grekas
5
Amazing how they can screw things so much. At least the <script> doesn't run if the image is inside a webpage (it shows the "broken image" icon). But I guess we'll have to check against tags in non-html files :S
2007-02-23 20:48:55
Antonio
6
Disabling option "Open file based on content, not extension" option under security tab, IE options (Custom level) will solve the problem (as for the given examples)
2007-05-16 11:40:20
Buddy21
7
Internet Explorer still executes scripts in the pdf test file, even when "Open file based on content, not extension" is disabled. Using IE 7.0.5730.11
2007-07-03 18:24:51
Ignacio
8
I tested this with IE 7.0.6000.16473 on M$ Windows Vista Home premium.
I've set IE's security to the maximum and it just displayed the PNG source in plain text.
I couldn't test the PDF since it didn't allow me to download it.

On the other hand, the XSS bug in IE still persists when its security is set to normal.
Both the PNG and PDF javascripts were executed !
2007-07-09 14:32:20
Bjorn Roesbeke
9
This has been a really anoying whole in IE that I have spent countless hours trying to figure out how to get around.  On the server side you can find the appropriate combintation of HTTP Headers that will tell IE not to guess the content type (Cache-control: no-transform and Content-Disposition: attachment - sorry I don't think inline will work).  You will probably also need to set the appropriate content type and filename with the correct file extension for this to prevent IE from guessing the content type.

Luckily - Microsoft creates secure products like SharePoint which have built in XSS vulnerabilities due to issues like this one.
2007-08-23 15:07:47
Jeremy
10
The server can make this XSS attack significantly harder with IE by setting the Content-Disposition header.  Example: Content-Disposition:attachment;filename=filename.ext

See http://blogs.msdn.com/ie/archi … 64581.aspx

But even with this "fix" IE will prompt the client to open, save, cancel.  If the document is an html document and doesn't end in one of Microsofts known extensions(.gif,.jpg,.exe,.pdf,...) or no extension at all and the client then selects open, ie will open the document in the application space and not from the local hard drive and therefore will allow the XSS attack.  

See http://seclists.org/webappsec/ … /0034.html
2007-10-25 22:49:13
James
11
we fixed this back in 2004 simply by filtering uploads and checking for same bits that IE seeks, as I wrote in http://dammit.lt/2008/01/03/ie … d-xss-bug/

the nasty part is that images retain the attack even after resize/crop/whatever, and can be perfectly normal. and the attack code can load image itself here again :)
2008-01-03 00:35:30
dammit
12
I can't replay them in my IE (6.0.2900.2180.xpsp_sp2_qfe.070227-2300), have these issues been fixed by MS?
2008-03-16 19:15:24
hax
CAPTCHA

No HTML allowed. URLs will be linked with nofollow attribute. Whitespace is preserved.

Hi, I'm Andreas Gohr and splitbrain.org is my website.
I'm a Web, Wiki and Open Source enthusiast living in Berlin, Germany. Enjoy your stay here.

Previous Blogposts

Most Popular

Delicious Bookmarks of this Page

(12 bookmarks)
2001-2010 © Andreas Gohr · Imprint/Impressum