hi greymagic, First off i can't reproduce this on my fully patched ie6 Second you should be able to have ie render any html page as a xml file like this <object type="application/xml" data="http://www.yahoo.com" width="500" height="500"> </object> Generaly html files are not well formed xml so it shouldnt be difficult to get this to work on just about any site --jelmer ----- Original Message ----- From: "GreyMagic Software" <securityat_private> To: <full-disclosureat_private> Sent: Tuesday, June 17, 2003 12:09 PM Subject: [Full-Disclosure] Cross-Site Scripting in Unparsable XML Files (GM#013-IE) > GreyMagic Security Advisory GM#013-IE > ===================================== > > By GreyMagic Software, Israel. > 17 Jun 2003. > > Available in HTML format at http://security.greymagic.com/adv/gm013-ie/. > > Topic: Cross-Site Scripting in Unparsable XML Files. > > Discovery date: 18 Feb 2003. > > Affected applications: > ====================== > > Microsoft Internet Explorer 5.5 and 6.0. > > Note that any other application that uses Internet Explorer's engine > (WebBrowser control) is affected as well (AOL Browser, MSN Explorer, etc.). > > > Introduction: > ============= > > Internet Explorer automatically attempts to parse any XML file requested > individually by the browser. When the parsing process is successful, a > dynamic tree of the various XML elements is presented. However, when a > parsing error occurs Internet Explorer displays the parse error along with > the URL of the requested XML file. > > > Discussion: > =========== > > We have found that in some cases the displayed URL is not filtered > appropriately, and may cause HTML that was passed in the querystring of the > URL to be rendered by the browser. This creates a classic cross-site > scripting attack in almost any XML file that MSXML fails to read. > Practically, this means that leaving XML files on your server that can't be > parsed correctly by Internet Explorer and MSXML is exposing the site to a > global Cross-Site Scripting attack. > > We have been able to reproduce this problem in various setups, but we > couldn't pinpoint the vulnerable component reliably enough. It is most > likely an MSXML issue, and not a flaw in Internet Explorer itself. > > > Exploit: > ======== > > This sample shows the basic URL for injecting content: > > http://host.with.unparsable.xml.file/flaw.xml?