A bug in IE allows hackers to conduct XSS attacks

A bug in IE allows hackers to conduct XSS attacks

offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14005
  • Gde živiš: Nish

Citat:Here are the technical details. Internet Explorer (IE) doesn't encode double quote characters (") in the query part of the uniform resource identifier (URI). This behavior, besides being non standard (as stated by RFC and implemented by other browsers including Chrome or Firefox) may expose IE users to reflected XSS attacks. How? Websites may assume that the URI in the request is properly encoded by the browser and embed it "as is" in the HTML response. Since double quotes are not properly encoded by IE it may break the websites HTML structure and allow an attacker to smuggle an XSS attack against the IE user.
Citat:It's easy to verify that double quote should be "pct-encoded" and therefore represented as %22.
Citat:For example, typing the following URI in IE's address bar– 'http://example.com/Sea"rch.asp?q"="b"' over the wire it will be 'GET /Sea%22rch.asp?q"="b" '
Citat:We have contacted Microsoft and got the following response:

Thank you for writing to us. The behavior you are describing is something that we are aware of and are evaluating for changes in future versions of IE, however it's not something that we consider to be a security vulnerability that will be addressed in a security update.



Izvor: http://blog.imperva.com/2012/01/ie-bug-exposes-its-users-to-xss-attacks-.html



Registruj se da bi učestvovao u diskusiji. Registrovanim korisnicima se NE prikazuju reklame unutar poruka.

Potreban je samo minut da se registrujete - da biste učestvovali u diskusiji:
Izaberite vaše korisničko ime [username] :
Vaša email adresa je [email] : Email adresa mora biti tačna!
Ukucajte željenu šifru [password] :
Ukucajte šifru ponovo [password again] :
Jezik [language] :




Ili se jednostavno uloguj preko Facebook-a:
Ko je trenutno na forumu
 

Ukupno su 332 korisnika na forumu :: 23 registrovanih, 2 sakrivenih i 307 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 1383 - dana 19 Okt 2014 22:26

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Areal84, Blue, Chuck Norris, Detective, galijot, HP 35, Illuminatus, Jovan Kovačević, lažni đoko, Madaruchka, markus2, miljannis, nedeljkovici, raketaš, ruma, strelets, Trpe Grozni, vasa.93, vathra, versus2, VJ, zoran MKD, Žan Klod vam dam
Siguran hosting