XSS using Atom feed in www.ibm.com Abstract: A XSS using Atom feed was in www.ibm.com (already fixed). This XSS technique appears only by IE6, not appears on IE7 and Firefox. Poc: http://www.ibm.com/fscripts/search/opensearch/search.fcgi/a.html? q=%2BADw-/title%2BAD4-%2BADw-script%2bAD4-alert(document.location) %2BADw-/script%2BAD4-&v=16&en=utf&lang=ja&cc=en&format=atom&startIndex=1 When it accesses this URL over IE6, the script operates. Details: By adding the "format=atom" parameter, "Content-Type: application/atom+xml" is returned as a response header. Note that the charset is not given. This becomes the first step to the attack. Next, IE6 cannot understand "application/atom+xml" as Content-Type. This is the second step. The third step, the original search URL in ibm.com is following: http://www.ibm.com/fscripts/search/opensearch/search.fcgi?q=.... Even if PATH_INFO is added as follows, it operates. http://www.ibm.com/fscripts/search/opensearch/search.fcgi/a.html?q=.... And IE6 judges the file type to be HTML by adding PATH_INFO with Content-Type cannot judged. Therefore, IE6 interprets contents as a HTML encoded with UTF-7 and the script included in the parameter can be operated. Solution: Now, Charset is added to content-type in this CGI like as "Content-Type: application/atom+xml; charset=utf-8" and moreover, "%3c" in "q" parameter is encoded to "<". As a result, injecting the script by UTF-7 is impossible. There is another solution as follows. When Content-Type cannot be understood, IE6 starts deciding file type by the Content-Disposition header. Then, it can be prevented from being judged file type as HTML by PATH_INFO with adding Content-Disposition header such as: "Content-Disposition: inline; filename=a.xml" -- HASEGAWA Yosuke yosuke.hasegawa@gmail.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/