CVE-2006-4576

Step 1: Payload Creation: The attacker crafts a malicious HTML file containing JavaScript code designed to perform actions like stealing cookies, redirecting users, or defacing the application. This HTML file is designed to exploit the XSS vulnerability. Step 2: File Disguise: The attacker renames the malicious HTML file, giving it a .gif or .jpg extension to bypass file type validation. Step 3: File Upload: The attacker uploads the disguised HTML file to The Address Book 1.04e. Step 4: Victim Interaction: A user views the uploaded file through Internet Explorer, either directly or indirectly (e.g., through a link provided by the attacker). Step 5: Script Execution: Internet Explorer, due to the lack of proper content type validation, renders the uploaded file as HTML, executing the embedded JavaScript payload. Step 6: Attack Completion: The malicious JavaScript executes, allowing the attacker to perform actions like stealing the user's session cookies, redirecting the user to a phishing site, or modifying the application's content.

The vulnerability stems from insufficient input validation and improper content type handling. The Address Book 1.04e allows users to upload files without properly verifying their content. Specifically, it trusts the file extension (.gif or .jpg) to determine the content type, failing to check the actual file contents. This allows an attacker to upload an HTML file crafted to execute JavaScript, disguised with a .gif or .jpg extension. When Internet Explorer renders the uploaded file, it interprets the HTML, executing the malicious script.