XSS using Atom feed in www.ibm.com

Abstract:
A XSS using Atom feed was in www.ibm.com (already fixed).
This XSS technique appears only by IE6, not appears on IE7 and Firefox.

Poc:
  http://www.ibm.com/fscripts/search/opensearch/search.fcgi/a.html?
  q=%2BADw-/title%2BAD4-%2BADw-script%2bAD4-alert(document.location)
  %2BADw-/script%2BAD4-&v=16&en=utf&lang=ja&cc=en&format=atom&startIndex=1

  When it accesses this URL over IE6, the script operates.

Details:
By adding the "format=atom" parameter, "Content-Type: application/atom+xml"
is returned as a response header.

Note that the charset is not given. This becomes the first step to the attack.

Next, IE6 cannot understand "application/atom+xml" as Content-Type.
This is the second step.

The third step, the original search URL in ibm.com is following:
  http://www.ibm.com/fscripts/search/opensearch/search.fcgi?q=....
Even if PATH_INFO is added as follows, it operates.
  http://www.ibm.com/fscripts/search/opensearch/search.fcgi/a.html?q=....
And IE6 judges the file type to be HTML by adding PATH_INFO  with
Content-Type cannot judged.

Therefore, IE6 interprets contents as a HTML encoded with UTF-7 and
the script included in the parameter can be operated.

Solution:
Now, Charset is added to content-type in this CGI like
as "Content-Type: application/atom+xml; charset=utf-8" and
moreover, "%3c" in "q" parameter is encoded to "<".
As a result, injecting the script by UTF-7 is impossible.

There is another solution as follows.

When Content-Type cannot be understood, IE6 starts deciding
file type by the Content-Disposition header.
Then, it can be prevented from being judged file type as HTML
by PATH_INFO with adding Content-Disposition header such as:
"Content-Disposition: inline; filename=a.xml"

-- 
HASEGAWA Yosuke
    yosuke.hasegawa@gmail.com