This article is very old (first published in 25 dec 2007) but many things still work.
Author: Alexandr Polyakov
As is known, users can upload images on a Web-server which is provided by numerous Web-projects, such as all kinds of CMS (Bitrix, runCMS, Mambo), forums (PhpBB, vBulluten), mail services (mail.ru, yandex.ru), blogs and social networks (facebook.com, livejournal.com, vkontakte.ru, liveinternet.ru, myspace.com). Such sites are potentially vulnerable to XSS-attacks that can use the flaw in the features of the images handling mechanism in Internet Explorer This feature is not new, but because it is not corrected in Internet Explorer 7.0 we decided to make an article about this problem This feature of the pictures processing and displaying is not new, and the ability to carry out an XSS-attack via picture was known to hackers. Due to the fact that this feature was ignored in the new version of Internet Explorer 7.0, the issue can be discussed again with more features.
XSS in images evasion bypass, (373 KB)