Vigil@nce - IE: script injection via MHTML
February 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to see a malicious HTML page
containing a mhtml uri injecting JavaScript in the reply of a web
site, in order for example to obtain information.
Severity: 2/4
Creation date: 31/01/2011
IMPACTED PRODUCTS
- Microsoft Internet Explorer
- Microsoft Windows 2003
- Microsoft Windows 2008
- Microsoft Windows 7
- Microsoft Windows Vista
- Microsoft Windows XP
DESCRIPTION OF THE VULNERABILITY
The MHTML (MIME Encapsulation of Aggregate HTML) format
encapsulates an HTML document and its objects inside a MIME
document.
Internet Explorer does not set the type of a MHTML document by
looking the Content-Type of the HTTP reply, but it analyzes the
content of the HTTP reply and automatically detects the type.
Some web sites do not filter line feeds contained in parameters,
and their HTTP reply thus contain attacker’s line feeds.
By combining these two errors, an attacker can use:
http://site/para=here_mhtml
The vulnerable web site then returns:
the begining of the normal page
here_mhtml (containing HTML which contains a script)
the end of the normal page
Internet Explorer thus detects the MHTML part, and interprets the
script code in the context of the web site.
When a web site does not filter line feeds, an attacker can
therefore invite the victim to see a malicious HTML page
containing a mhtml uri injecting JavaScript in the web site reply,
in order for example to obtain information.
Other attack methods exists. For example, if the attacker can
upload a file containing MHTML on the web site, he can also
exploit this vulnerability.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/IE-script-injection-via-MHTML-10316