[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml

To: IEhrepus <5up3rh3i@xxxxxxxxx>
Subject: Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
From: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
Date: Wed, 26 Jan 2011 21:43:28 -0800

> 1.www.google.com app don't filter the CRLF

This is not strictly required; there are other scenarios where this
vulnerability is exploitable.

> 2.IE support mhtml protocol handler to render the mhtml file format,
> and this is the why mhtml: is designed

The real problem is that when mhtml: is used to fetch the container
over an underlying protocol, it does not honor Content-Type and
related headers (or even "nosniff").

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
  - From: IEhrepus

References:
- Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
  - From: Yigit Turgut
- Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
  - From: Michal Zalewski
- Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
  - From: IEhrepus

Prev by Date: Re: [Full-disclosure] http://security.goatse.fr/gaping-hole-exposed
Next by Date: Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
Previous by thread: Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
Next by thread: Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
Index(es):
- Date
- Thread