exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

mimeenCap.txt

mimeenCap.txt
Posted Feb 28, 2005
Authored by bitlance winter

A possible cross site scripting issue exists with Internet Explorer on Windows XP SP2 via MIME Encapsulation of aggregate HTML documents.

tags | advisory, xss
systems | windows
SHA-256 | e76b7dff6e7f071957396721d5553e750215e4cbc254ce242637827495fd2676

mimeenCap.txt

Change Mirror Download
Hi, LIST.

========
subject:
========
Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate
HTML Documents

========
NOTE:
========
This bug had been provided by an unknown person on his site.
This bug is widely known in Japan since August, 2004.
(These news was reported.)
Now his site is closed.
Some engineers prevented this bug. They are maintaining Web services.
Wiki, Webmail, Blog, BBS, those might be dangerous.

========
First:
========

I want to show the following first. Please checkout using IE on XPSP2.

The cat is here.
http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg

And the cat is a script kitty.
mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg

You see? executing JavaScript? Ok.
If you are using old IE or Windows, try this one.
mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg.mhtml

Confirmed?

========
Second:
========

What is happen to us?
Please checkout.
http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt
or same file,
http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt

This is a test messages which demonstrate of sending e-mail
in HTML format according to RFC 2557.

And check out please.
mhtml:http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt
or same file,
mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt


========
Third:
========

Then we can change Content-Transfer-Encoding:
from '7bit' to 'quoted-printable'.
Checkout please.
http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt


- ----- q2.txt ------
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

=3C!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"=3E
=3CHTML=3E
=3CHEAD=3E=3CTITLE=3ETest message no. 3=3C/TITLE=3E
=3C/HEAD=3E
=3CBODY=3E
=3CH1=3EThis is test message no. 3=3C/H1=3E

=3CH2=3EHere comes the red test image:=3C/H2=3E
=3CIMG SRC=3D"http://www.dsv.su.se/jpalme/mimetest/red-test-image.gif"
BORDER=3D0 HEIGHT=3D32 WIDTH=3D117
ALT=3D"red test image"=3E

=3CH2=3EHere comes the yellow test image:=3C/H2=3E
=3CIMG SRC=3D"http://www.dsv.su.se/jpalme/mimetest/yellow-test-image.gif"
BORDER=3D0 HEIGHT=3D32 WIDTH=3D152
ALT=3D"yellow test image"=3E

=3CP=3EThis is the last line of this test message.
=3C/BODY=3E=3C/HTML=3E
- ----- q2.txt ------

Where is HTML TAG?
Do you know how to sanitise?
mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt

The malicious code would be inserted by a malicious user,
on Blog, Wiki, BBS with fileuploader ,etc.
JPEG file or Gif file are also poisoned.

There is possible XSS issue on Windows XPSP2 IE6 via MHTML.

========
Reference:
========

Using HTML in E-mail
http://www.dsv.su.se/jpalme/ietf/mhtml.html

MIME Encapsulation of Aggregate HTML Documents (MHTML)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/_cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml_.asp

RFC 2045 - Multipurpose Internet Mail Extensions (MIME) Part One: Format of
Internet Message Bodies
http://www.faqs.org/rfcs/rfc2045.html

===========

Sorry my bad English.
Best Regards.

===========
--
bitlance winter

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close