Dear bitlance winter, Using MHTML to bypass content filtering for scripting was at least reported here by offtopic as well as few more tricks. You may want to read this:
offtopic, 3APA3A. Bypassing client application protection techniques http://www.security.nnov.ru/advisories/bypassing.asp and this 3APA3A. Bypassing content filtering whitepaper http://www.security.nnov.ru/advisories/content.asp --Monday, February 28, 2005, 6:11:31 PM, you wrote to [email protected]: bw> Hi, LIST. bw> ======== bw> subject: bw> ======== bw> Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate bw> HTML Documents bw> ======== bw> NOTE: bw> ======== bw> This bug had been provided by an unknown person on his site. bw> This bug is widely known in Japan since August, 2004. bw> (These news was reported.) bw> Now his site is closed. bw> Some engineers prevented this bug. They are maintaining Web services. bw> Wiki, Webmail, Blog, BBS, those might be dangerous. bw> ======== bw> First: bw> ======== bw> I want to show the following first. Please checkout using IE on XPSP2. bw> The cat is here. bw> http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg bw> And the cat is a script kitty. bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg bw> You see? executing JavaScript? Ok. bw> If you are using old IE or Windows, try this one. bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/scriptkitty.jpg.mhtml bw> Confirmed? bw> ======== bw> Second: bw> ======== bw> What is happen to us? bw> Please checkout. bw> http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt bw> or same file, bw> http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt bw> This is a test messages which demonstrate of sending e-mail bw> in HTML format according to RFC 2557. bw> And check out please. bw> mhtml:http://dsv.su.se/jpalme/ietf/mhtml-test/mhtml-3.txt bw> or same file, bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q1.txt bw> ======== bw> Third: bw> ======== bw> Then we can change Content-Transfer-Encoding: bw> from '7bit' to 'quoted-printable'. bw> Checkout please. bw> http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt bw> - ----- q2.txt ------ bw> Content-Type: text/html; charset=us-ascii bw> Content-Transfer-Encoding: quoted-printable bw> =3C!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"=3E bw> =3CHTML=3E bw> =3CHEAD=3E=3CTITLE=3ETest message no. 3=3C/TITLE=3E bw> =3C/HEAD=3E bw> =3CBODY=3E bw> =3CH1=3EThis is test message no. 3=3C/H1=3E bw> =3CH2=3EHere comes the red test image:=3C/H2=3E bw> =3CIMG bw> SRC=3D"http://www.dsv.su.se/jpalme/mimetest/red-test-image.gif"; bw> BORDER=3D0 HEIGHT=3D32 WIDTH=3D117 bw> ALT=3D"red test image"=3E bw> =3CH2=3EHere comes the yellow test image:=3C/H2=3E bw> =3CIMG bw> SRC=3D"http://www.dsv.su.se/jpalme/mimetest/yellow-test-image.gif"; bw> BORDER=3D0 HEIGHT=3D32 WIDTH=3D152 bw> ALT=3D"yellow test image"=3E bw> =3CP=3EThis is the last line of this test message. bw> =3C/BODY=3E=3C/HTML=3E bw> - ----- q2.txt ------ bw> Where is HTML TAG? bw> Do you know how to sanitise? bw> mhtml:http://freehost02.websamba.com/bitlance/mhtmlbug/q2.txt bw> The malicious code would be inserted by a malicious user, bw> on Blog, Wiki, BBS with fileuploader ,etc. bw> JPEG file or Gif file are also poisoned. bw> There is possible XSS issue on Windows XPSP2 IE6 via MHTML. bw> ======== bw> Reference: bw> ======== bw> Using HTML in E-mail bw> http://www.dsv.su.se/jpalme/ietf/mhtml.html bw> MIME Encapsulation of Aggregate HTML Documents (MHTML) bw> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/_cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml_.asp bw> RFC 2045 - Multipurpose Internet Mail Extensions (MIME) Part One: Format of bw> Internet Message Bodies bw> http://www.faqs.org/rfcs/rfc2045.html bw> =========== bw> Sorry my bad English. bw> Best Regards. bw> =========== bw> -- bw> bitlance winter bw> _________________________________________________________________ bw> Don’t just search. Find. Check out the new MSN Search! bw> http://search.msn.click-url.com/go/onm00200636ave/direct/01/ bw> _______________________________________________ bw> Full-Disclosure - We believe in it. bw> Charter: http://lists.netsys.com/full-disclosure-charter.html -- ~/ZARAZA Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
![http://www.dsv.su.se/jpalme/mimetest/red-test-image.gif"](http://www.dsv.su.se/jpalme/mimetest/red-test-image.gif"){kind=link}
![http://www.dsv.su.se/jpalme/mimetest/yellow-test-image.gif"](http://www.dsv.su.se/jpalme/mimetest/yellow-test-image.gif"){kind=link}