Name: Microsoft Internet Explorer 'toStaticHTML' HTML Sanitizing Information Disclosure Vulnerability
Author: Adi Cohen of IBM Rational Application Security ([email protected])
Date: June 14, 2011
Risk: Medium
CVE: CVE-2011-1252
The JavaScript function toStaticHTML, which is found in Internet Explorer 8 and Internet Explorer 9, is used to sanitize HTML fragments from dynamic and potentially malicious content.
If an attacker can manage to pass malicious code through this function, s/he may be able to perform HTML injection based attacks (such as XSS).
An attacker can create a specially formed CSS that after passing through the toStaticHTML function will contain an expression that will trigger a JavaScript call.
The following JavaScript code demonstrates the vulnerability:
<script>document.write(toStaticHTML("<style>div{color:rgb(0,0,0)&a=expression(alert(1))}</style>Adi Cohen"))</script>
This code bypasses the filter engine by taking advantage of the following facts:
An attacker can use the semi-colon of the HTML encoded characters to terminate a CSS sentence and start a new one without the filtering engine being aware of it, thereby breaking the state machine.
Any application that relies on the function toStaticHTML to sanitize user supplied data is probably vulnerable to XSS.
http://www.securityfocus.com/bid/48199
http://support.avaya.com/css/P8/documents/100141412
http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx