Vigil@nce: Internet Explorer 8, Cross Site Scripting of the anti-XSS
December 2009 by Vigil@nce
An attacker can use the Anti Cross Site Scripting feature of
Internet Explorer 8, in order to create a Cross Site Scripting
attack.
– Severity: 1/4
– Consequences: client access/rights
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: multiples sources (3/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 09/12/2009
IMPACTED PRODUCTS
– Microsoft Internet Explorer
DESCRIPTION OF THE VULNERABILITY
The Anti Cross Site Scripting feature of Internet Explorer 8
changes pages on the fly, in order to block Cross Site Scripting
attacks.
However, an attacker can use this feature to generate a Cross Site
Scripting.
Technical details are unknown.
CHARACTERISTICS
– Identifiers: BID-37135, CVE-2009-4074, VIGILANCE-VUL-9254
– Url: http://vigilance.fr/vulnerability/Internet-Explorer-8-Cross-Site-Scripting-of-the-anti-XSS-9254