HTML Sanitizing Information Disclosure - CVE-2011-1252
Introduction
The JavaScript function toStaticHTML, which is found in Internet Explorer 8 and Internet Explorer 9 is used to sanitize
HTML fragments from dynamic and potentially malicious content.
If an attacker is able to break the filtering mechanism and pass malicious code through this function, he/she may be
able to perform HTML injection based attacks (i.e. XSS).
Vulnerability
An attacker is able to create a specially formed CSS that after passing through the toStaticHTML function will contain
an expression that will trigger a JavaScript call.
The following JavaScript code will demonstrate the vulnerability:
<script>document.write(toStaticHTML("
<style>div{color:rgb(0,0,0)&a=expression(alert(1))}</style>Adi Cohen"))</script>
The reason this code bypass the filter engine is due to two reasons:
- The filtering engine allows the string "expression(" to exists in "non-dangerous" locations within the CSS.
- The filtering engine encodes characters such as ( & , < , > , etc…) to their HTML encoded entities (& , > , < , etc…).
When combining these two facts the attacker is able to use the semi-colon of the HTML encoded entities
representation in order to terminate a CSS sentence and move to a new one without having the filtering engine
realize it, thus breaking the state machine and bypassing the filter.
Impact
Every application that relies on the function toStaticHTML to sanitize user supplied data is now probably
vulnerable to XSS.
References
http://www.securityfocus.com/bid/48199
http://support.avaya.com/css/P8/documents/100141412
http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx
Discovered by - Adi Cohen, IBM Application Security Research
Comments