Microsoft Internet Explorer 'toStaticHTML' HTML Sanitizing

Name: Microsoft Internet Explorer 'toStaticHTML' HTML Sanitizing Information \ Disclosure Vulnerability Author: Adi Cohen of IBM Rational Application Security (adic@il.ibm.com) Date: June 14, 2011 Risk: Medium CVE: CVE-2011-1252 Introduction ------------- The JavaScript function toStaticHTML, which is found in Internet Explorer 8 and \ Internet Explorer 9, is used to sanitize HTML fragments from dynamic and potentially \ malicious content. If an attacker can manage to pass malicious code through this \ function, s/he may be able to perform HTML injection based attacks (such as XSS). Vulnerability ------------- An attacker can create a specially formed CSS that after passing through the \ toStaticHTML function will contain an expression that will trigger a JavaScript call. The following JavaScript code demonstrates the vulnerability: <script>document.write(toStaticHTML("<style>div{color:rgb(0,0,0)&a=expression(alert(1) \ )}</style>Adi Cohen"))</script> This code bypasses the filter engine by taking advantage of the following facts: 1. The filtering engine allows the string "expression(" to exist in "non-dangerous" \ locations within the CSS 2. The filtering engine changes special characters (such as \ & , < , >) to their HTML encoded equivalents (& , > , <), which all end \ with a semicolon An attacker can use the semi-colon of the HTML encoded characters to terminate a CSS \ sentence and start a new one without the filtering engine being aware of it, thereby \ breaking the state machine. Impact ------ Any application that relies on the function toStaticHTML to sanitize user supplied \ data is probably vulnerable to XSS. References ---------- http://www.securityfocus.com/bid/48199 http://support.avaya.com/css/P8/documents/100141412 http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx