HomeVulnerabilities
January 16, 2012, 11:36AM

Quotation Mark Parsing Flaw Makes IE Users Vulnerable to Attack

A bug in Microsoft’s Internet Explorer has left users of the popular browser vulnerable to cross-site scripting attacks, according to researchers at the security firm Imperva Data Security.

The flaw stems from an error in the way double quotes are encoded by IE. According to Imperva’s Rob Rachwald, it could have some serious consequences for websites that support IE.

Imperva researchers discovered that IE fails to encode double quote characters in the query part of the uniform resource identifier (URI) using a hexadecimal equivalent, as it should, according to the IETF RFC 3986, which spells out proper URI syntax. According to that document, double quote characters ("") should be rendered as %22 when they appear in URIs. While IE does this for some parts of a URI, double quotes that appear in the query component of a URI are not translated - a lapse that could cause IE browsers to splice a malicious link or other attack code into a URI.

Editor's Pick

Threatpost Newsletter Sign-up

The problem with double quotes characters is not present in competing browsers such as Firefox and Google Chrome, Rachwald said.

Website developers operate under the assumption that requests coming from IE are properly encoded by the browser.

Imperva reached out to Microsoft about the bug. In their response, Microsoft downplayed the vulnerability, saying “[this flaw is] not something that we consider to be a security vulnerability that will be addressed in a security update.”

Rachwald and Imperva disagree. Citing XSSed.com, a site for public disclosures of XSS vulnerabilities, Rachwald claims there are sites listed that are currently experiencing XSS attacks stemming from the coding error in question and affecting only IE users.

Commenting on this Article is closed.

Comments

Submitted by Rob (not verified) on Mon, 01/16/2012 - 1:51pm.

"Website developers operate under the assumption that requests coming from IE are properly encoded by the browser."

Excuse me? Rule 1 of secure programming: Never trust the client. Someone smack those web developers upside the head.

Submitted by Anonymous (not verified) on Mon, 01/16/2012 - 3:35pm.
@Rob - Seriously. And anyway, in what way is this new or even noteworthy? This problem has been around for a decade. It's been in nearly every one of my pen-test reports (IE only XSS stemming from how IE doesn't URL encode quotes) for years now. Did someone finally figure out how to use an inline proxy? I feel bad for MS for once - I bet it would break a ton of IE only websites to "fix" this.
Submitted by Anonymous (not verified) on Mon, 01/16/2012 - 7:40pm.

Microsoft, as usual, don't care unless they happen to get stung.

Submitted by Anonymous (not verified) on Mon, 01/16/2012 - 7:41pm.

Yep, there is no excuse for laziness.

Submitted by mirs (not verified) on Tue, 01/17/2012 - 2:36pm.

What sane person, in this day and age, relies on the browser to protect their application?

Based on Imperva's business, I'd guess that they are accustomed to telling their customers that their web app security firewall will fix crappy code written by their customers. Perhaps this is why they choose to alert Microsoft that IE doesn't do something with quotes.

 

Submitted by Anonymous (not verified) on Wed, 01/18/2012 - 9:58am.

I'm not even sure this is a bug in light of the RFC. Also, many browsers (including chrome) do not encode the single quote, which can equally lead to 'breaking out' of attribute values. Also, many languages automatically decode pctencoded query strings.

Whenever you build a URL to use in an attribute you need to make sure that:

  1. URL parts are correctly encoded.
  2. The URL is safe to use with the attribute (ie, not contain javascript:)
  3. Is properly escaped as an HTML attribute value
Submitted by Anonymous (not verified) on Fri, 02/17/2012 - 10:20am.

 

Copyright © 2012 threatpost.com | Terms of Service | Privacy