« January 2011 | Main | August 2011 »

July 2011

July 21, 2011

Microsoft Internet Explorer 'toStaticHTML' HTML Sanitizing Information Disclosure Vulnerability (CVE-2011-1252)

HTML Sanitizing Information Disclosure - CVE-2011-1252
Introduction
The JavaScript function toStaticHTML, which is found in Internet Explorer 8 and Internet Explorer 9 is used to sanitize
HTML fragments from dynamic and potentially malicious content.
If an attacker is able to break the filtering mechanism and pass malicious code through this function, he/she may be
able to perform HTML injection based attacks (i.e. XSS).

Vulnerability

An attacker is able to create a specially formed CSS that after passing through the toStaticHTML function will contain

an expression that will trigger a JavaScript call.

 

The following JavaScript code will demonstrate the vulnerability:

Continue reading "Microsoft Internet Explorer 'toStaticHTML' HTML Sanitizing Information Disclosure Vulnerability (CVE-2011-1252)" »

Posted by on July 21, 2011 in Public Site Vulnerability Research, Research, Web Application Security | | Comments (0) | TrackBack (0)

| |

Follow us on Twitter

IBM Application Security Insider
IBM Application Security Insider

AppScan Free Trial


Try IBM Security AppScan software at no charge.

Search

Recent Posts

Archives

Categories

Pages

Become a Fan