Secunia Advisory SA24314Internet Explorer Charset Inheritance Cross-Site Scripting Vulnerability
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description
Stefan Esser has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct cross-site scripting attacks. The vulnerability exists because pages that don't specify a charset inherit the charset of the parent page. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of certain sites that are included e.g. via iframes in a malicious page that uses UTF-7 as charset. Successful exploitation requires that the user is tricked into visiting a malicious web site. The vulnerability is confirmed in Internet Explorer 7 and 8 on a fully patched Windows XP. Other versions may also be affected. Solution Provided and/or discovered by Deep Links Do you have additional information related to this advisory?Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
152 views | ![]() |
| Gentoo update for sarg | |
210 views | ![]() |
| Debian update for freetype | |