Microsoft Internet Explorer 6.0 embedded content cross site scripting
scip AG Vulnerability ID 1746 (09/22/2005)
Microsoft Internet Explorer is since many years the most popular web
browser. The main reason for this popularity is the default use in the
latest releases of the Microsoft Windows operating system series.
More Information are available at the official Microsoft Internet
Explorer web site:
Sven Vetsch found a cross site scripting vulnerability in the current
releases of Microsoft Internet Explorer. Thus, it is possible to use a
manipulated embedded content to run arbitrary script code in the
security context of the website.
The problem lies in the handling of the content of such files (e.g. a
picture). In the first place the usual file header (e.g. for GIF files)
is provided - The remaining content of the file could be usual html
data. Therefore embedding script code in the latter may be possible.
This injected code is executed by the HTML rendering engine of the web
browser. In the proof-of-concept by Sven Vetsch and the examples of scip
AG a GIF file is used (see chapter III). But it seems other files that
could be embedded in an html file could be used too (e.g. JPG, WAV, AVI,
It seems that the Internet Explorer is putting all the data (HTML frame
and embedded content) into one stream. Afterwards this one is put thru
the rendering engine. This is not able to determine the real beginning
and end of an embedded file. Content of those - not expected in any way
- is handled as HTML code too.
More details are available at the scip vulnerability Database at
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1746 (german only).
The following proof-of-concept has been published in the articles "Wie
mit GIF-Bildern Cross Site Scripting-Angriffe im Internet Explorer
umgesetzt werden k=F6nnen" in scip monthly Security Summary Issue 19.
September 2005 (pp. 12-14) and "GIF-Bug im Internet Explorer 6 -
Proof of Concept" at computec.ch: