Cross Site Scripting(XSS) on research.microsoft.com

Cross Site Scripting Vulnerability on http://research.microsoft.com

URL: http://reserach.microsoft.com/search/search.aspx

OS: Windows XP SP2

Browsers: Internet Explorer 6.0, Firefox 2.0

Severity: High

Subject: "MyBand is Your Band" band object msdn sample unregister problem

if you want to create toolbar/explorer bar in the internet explorer, you have to play with the band objects. MSDN very well explains band object but if you want to study and understand then Paul has written very good article

"MyBand is Your Band: More Reusable MFC Goodies with Band Objects and COMToys" by Paul DiLascia in November 1999. you can find this at msdn site,

http://www.microsoft.com/msj/1199/bandobj/bandobj.aspx

on the xp machine, I found problem while unregistring. it gave me error, and so i couldn't unregister. then i debug the problem and I found issue.

Microsoft provides ICatRegister COM interface to register CATID_InfoBand and CATID_CommBand. With the use of RegisterClassImplCategories and UnRegisterClassImplCategories functions of ICatRegister you
can easily register both the band objects into Internet Explorer registry contexts. The code is also using this interface. Now the problem is code deletes both key tree first and then unregister band object, which fails this UnRegisterClassImplCategories function and return false. if you change sequence, it works fine, here is modified code of UpdateRegistry function,

BOOL CBandObjFactory::UpdateRegistry(BOOL bRegister)
{
BOTRACEFN(_T("CBandObjFactory(%p)::UpdateRegistry(%d)\n"), this, bRegister);

static const LPOLESTR RT_REGISTRY = OLESTR("REGISTRY");
UINT nID = GetResourceID();
if (nID==0)
return TRUE;

if (!::FindResource(AfxGetResourceHandle(),
MAKEINTRESOURCE(nID), CString(RT_REGISTRY)))
return FALSE;

// initialize registry variables
CTRegistrar iReg;
OnInitRegistryVariables(iReg);

// register/unregister script
CString s;
::GetModuleFileName(AfxGetInstanceHandle(),
s.GetBuffer(_MAX_PATH), _MAX_PATH);

USES_CONVERSION;
LPOLESTR lposModuleName = T2OLE(s);
TRACE("sModuleName=%s\n",OLE2T(lposModuleName));

HRESULT hr = bRegister ?
iReg->ResourceRegister(lposModuleName, nID, RT_REGISTRY) :
iReg->ResourceUnregister(lposModuleName, nID, RT_REGISTRY);
if (!SUCCEEDED(hr)) {
TRACE(_T("*** CBandObj:: error %s loading registry script"),DbgName(hr));
return FALSE;
}

// register/unregister categories using ICatRegister
CTCatRegister iCat;
REFIID clsid = m_clsid;
hr = bRegister ?
iCat->RegisterClassImplCategories(clsid, 1, &m_catid) :
iCat->UnRegisterClassImplCategories(clsid, 1, &m_catid);
if (!SUCCEEDED(hr)) {
TRACE(_T("*** CBandObj:: error %s registering categoriy"),DbgName(hr));
return FALSE;
}

/* change sequence, previously it was before ICatRegister code */
if (bRegister==FALSE) {
// IRegistrar doesn't always delete top-level key right, so delete it
CString sClsid;
sClsid = StringFromCLSID(m_clsid);
if (!sClsid.IsEmpty()) { // for extra-safety! don't delete CLSID !!
CString sKey;
sKey.Format(_T("CLSID\\%s"), (LPCTSTR)sClsid);
AfxGetApp()->DelRegTree(HKEY_CLASSES_ROOT, sKey);
}
}

return SUCCEEDED(hr); // return, bypassing MFC/COleObjectFactory
}

Since this code has written in 1999, it was working fine on NT and 98, however i have not checked on 98 or NT. Paul has created really a good framework.

How to set REG_BINARY data by registrar scripts

The ATL Registrar provides IRegistrar COM interface to access system registry. The Registrar is free-threaded and allows static linking of code for C++ clients. User
has to create .rgs file using BNF Syntax. The BNF Syntax is very well explain in the MSDN. I don't find any example for binary data, so here is the sample script to add/modify binary data in registry

This creates test key under HKLM\Software key. Then it crates
Foo variable with REG_BINARY value 0x23, aka 23 00 00 00 00 00 00 00

HKLM
{
NoRemove Software
{
Remove 'test' = s ''
{
val Foo = b '2300000000000000'
}
}
}

just created, comeback soon..

I've just created. Soon upload some good nuts.