> <object type="application/xml" data="http://www.yahoo.com" width="500" > height="500"> > </object> This produces a warning in IE6 before it does anything with it. Kevin Spett SPI Labs http://www.spidynamics.com > Generaly html files are not well formed xml so it shouldnt be difficult to > get this to work on just about any site > > --jelmer > > > ----- Original Message ----- > From: "GreyMagic Software" <securityat_private> > To: <full-disclosureat_private> > Sent: Tuesday, June 17, 2003 12:09 PM > Subject: [Full-Disclosure] Cross-Site Scripting in Unparsable XML Files > (GM#013-IE) > > > > GreyMagic Security Advisory GM#013-IE > > ===================================== > > > > By GreyMagic Software, Israel. > > 17 Jun 2003. > > > > Available in HTML format at http://security.greymagic.com/adv/gm013-ie/. > > > > Topic: Cross-Site Scripting in Unparsable XML Files. > > > > Discovery date: 18 Feb 2003. > > > > Affected applications: > > ====================== > > > > Microsoft Internet Explorer 5.5 and 6.0. > > > > Note that any other application that uses Internet Explorer's engine > > (WebBrowser control) is affected as well (AOL Browser, MSN Explorer, > etc.). > > > > > > Introduction: > > ============= > > > > Internet Explorer automatically attempts to parse any XML file requested > > individually by the browser. When the parsing process is successful, a > > dynamic tree of the various XML elements is presented. However, when a > > parsing error occurs Internet Explorer displays the parse error along with > > the URL of the requested XML file. > > > > > > Discussion: > > =========== > > > > We have found that in some cases the displayed URL is not filtered > > appropriately, and may cause HTML that was passed in the querystring of > the > > URL to be rendered by the browser. This creates a classic cross-site > > scripting attack in almost any XML file that MSXML fails to read. > > Practically, this means that leaving XML files on your server that can't > be > > parsed correctly by Internet Explorer and MSXML is exposing the site to a > > global Cross-Site Scripting attack. > > > > We have been able to reproduce this problem in various setups, but we > > couldn't pinpoint the vulnerable component reliably enough. It is most > > likely an MSXML issue, and not a flaw in Internet Explorer itself. > > > > > > Exploit: > > ======== > > > > This sample shows the basic URL for injecting content: > > > > > http://host.with.unparsable.xml.file/flaw.xml?