CVE-2005-3312
Description
The HTML rendering engine in Microsoft Internet Explorer 6.0 allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML in corrupted images and other files such as .GIF, JPG, and WAV, which is rendered as HTML when the user clicks on the link, even though the web server response and file extension indicate that it should be treated as a different file type.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*
- (no CPE)range: 6.0
Patches
Vulnerability mechanics
Root cause
"Internet Explorer 6.0's HTML rendering engine fails to distinguish embedded file content boundaries, treating the entire data stream (including HTML/script after a valid file header) as renderable HTML."
Attack vector
An attacker crafts a file that begins with a valid file header (e.g., GIF89a for a GIF) but contains HTML and script code in the remainder of the file [ref_id=1]. The file is uploaded to a server that allows file uploads (e.g., a bulletin board avatar system). When a victim using Internet Explorer 6.0 navigates directly to the file's URL (not via an `<img>` tag), IE's rendering engine treats the entire content as HTML and executes the embedded script [ref_id=2]. The attack requires the file to be served over HTTP/HTTPS from a web server; it does not work locally [ref_id=1].
Affected code
The vulnerability lies in the HTML rendering engine of Microsoft Internet Explorer 6.0. The advisory [ref_id=1] explains that IE puts all data (HTML frame and embedded content) into one stream and passes it through the rendering engine, which cannot determine the real boundaries of an embedded file. No patch files are available in the bundle.
What the fix does
No vendor patch is included in the bundle. The advisory [ref_id=1] recommends that end users switch to an unaffected browser (e.g., Mozilla Firefox, Netscape 8.0, Opera). For webmasters, the advisory suggests either disabling all upload/embedding functionality or performing content inspection on uploaded files to reject strings like `<script>` [ref_id=1]. The phpBB-specific write-up [ref_id=2] advises bulletin board administrators to disable the "Upload avatar from URL" option until vendor patches arrive.
Preconditions
- configVictim must use Microsoft Internet Explorer 6.0
- inputAttacker must upload a crafted file (valid header + HTML/script payload) to a server that accepts file uploads
- networkFile must be served over HTTP/HTTPS from a web server (not local file system)
- inputVictim must navigate directly to the crafted file's URL (not via an tag)
Reproduction
1. Create a file with a valid GIF89a header (hex: `47 49 46 38 39 61 01 00 01 00`) followed by HTML/script payload, e.g., `<HTML><HEAD><SCRIPT>alert(document.cookie);</SCRIPT></HEAD></HTML>` [ref_id=2]. 2. Rename the file extension to `.JPG` (so IE does not attempt to render it as an image) [ref_id=2]. 3. Upload the file to a server that accepts image uploads (e.g., a phpBB forum's avatar upload feature) [ref_id=2]. 4. Lure a victim using IE 6.0 to navigate directly to the uploaded file's URL (e.g., `http://phpbbforum.com/images/avatars/2131121a2121f.jpg`). The script will execute in the server's security context [ref_id=2].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- www.computec.ch/download.phpnvdExploit
- www.scip.ch/cgi-bin/smss/showadvf.plnvdExploitVendor Advisory
- www.securiteam.com/windowsntfocus/6F00B00EBY.htmlnvdVendor Advisory
- marc.infonvd
- securityreason.com/securityalert/18nvd
News mentions
0No linked articles in our index yet.