Comments on: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection

By: hacky

hacky — Sat, 28 Nov 2009 16:33:08 +0000

To make things worse MS put the same IE code on windows 7 too… latest IE still vulnerable…

By: Inferno

Inferno — Mon, 16 Nov 2009 21:59:04 +0000

@Dave, if you are seeing XSS, then script is executing, which means that your IE is vulnerable. If you want to see the cookie as well, you need to signup for a 50webs.com account, signin and then go to the exploit page.

By: Dave Dows

Dave Dows — Mon, 16 Nov 2009 17:53:00 +0000

If I understand your test correctly, then my IE8 is not vulnerable or one of my security products is blocking this. The popup contains only the text “XSS” without your 50webs.com member cookie.

IE8 Version 8.0.6001.18702
Windows XP Build 2600.xpsp.080320-1628 (Service Pack 3) fully patched
AVG LinkScanner® version: 8.5.362
SnoopFree Privacy Shield 1.0.7
NIS 2010, MBAM, SAS

By: LayZee

LayZee — Mon, 21 Sep 2009 23:12:10 +0000

Been around since IE6 and still not patched in IE8?! Shame on you, M$!!

Tested and found vulnerable on IE 8.0.7600.16385 @ Windows 7 Pro x64.

By: Inferno

Inferno — Mon, 24 Aug 2009 03:47:17 +0000

hi breezy, IE does not encode the URL, = and & are allowable in URL. Vulnerability exists in GET and other scenarios as well such as POST, persistent XSS, etc.

By: Breezy

Breezy — Mon, 24 Aug 2009 02:22:11 +0000

Nice find. Would it be correct to assume that if a page’s URL must contain the characters = or &, then the page is not vulnerable in this context? IE seems to be encoding the URL in the GET request as such:

http://example.com/test.php?thing1=1&thing2=2
becomes
http://example.com/test.php?thing1+AD0-1+ACY-thing2+AD0-2

= and & seem to be an impossibility for the target URL

By: Inferno

Inferno — Thu, 02 Jul 2009 03:38:50 +0000

Hi Joe, As far as I know, Microsoft hasn’t patched this yet. So, it should work fine on your machine. Try two things – (1) try loading http://webappsec.50webs.com/utf-71.html directly to see if you can access the child page [you should see utf-7 string and no DNS error] (2) then try disabling blink antimalware and seeing what results you get when accessing http://www.securethoughts.com/security/ie8utf7/ie8utf-7.html

By: Joe

Joe — Thu, 02 Jul 2009 02:45:30 +0000

My one data point:

I tried the link http://www.securethoughts.com/security/ie8utf7/ie8utf-7.html using IE 8.0 .6001.18783 on Vista Home Premium. I did not see the popup. I got a DNS error in the iframe.

I am running Blink antimalware to help protect against this kind of rogue behavior, but there was nothing in the event logs.

By: Inferno

Inferno — Sat, 27 Jun 2009 00:24:07 +0000

Hi Nik,

Thanks for bringing this up. I forgot to mention Google Chrome in the post. Google Chrome is not vulnerable to this exploit. The version I tested was 2.0.172.33.

By: N Blackwell

N Blackwell — Fri, 26 Jun 2009 20:49:12 +0000

Is Google Chrome affected by this?