SecurityTracker.com Archives - Microsoft Outlook Express 'mhtml:' Redirect URL Processing Lets Remote Users Bypass Security Domains

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (E-mail Client) > Microsoft Outlook Express

Vendors: Microsoft

Microsoft Outlook Express 'mhtml:' Redirect URL Processing Lets Remote Users Bypass Security Domains

SecurityTracker Alert ID: 1016005

SecurityTracker URL: http://securitytracker.com/id?1016005

CVE Reference: CVE-2006-2111 (Links to External Site)

OSVDB Reference: 25073 (Links to External Site)

Updated: Jun 12 2007

Original Entry Date: Apr 27 2006

Impact: Modification of system information, User access via network

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Advisory: Microsoft Security Bulletin

Version(s): 6

Description: A vulnerability was reported in Microsoft Outlook Express. A remote user may be able to access information on behalf of the target user.

The software does not properly process HTTP 302 redirect responses containing 'mhtml:' URLs.

A remote user can create HTML that references a page on a site controlled by the remote user (e.g., 'http://[attacker_site]/page_x'). When the URL is loaded by the target user, the remote user's site will return a specially crafted HTTP 302 Location response that points to a different page (e.g., 'page_y') on the same site controlled by the target user, as shown below:

Location: mhtml:http://[attacker_site]/page_y

When this redirect URL is loaded by the target user's browser, the remote user's site will return another HTTP 302 Location response that, in turn, points to an arbitrary site. Javascript running in the context of the original HTML page can then access content from the arbitrary site with the privileges of the target user, crossing security domain boundaries.

Secunia posted a demonstration exploit based on proof-of-concept code by 'codedreamer':

http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/

[Editor's note: This vulnerability was originally reported as affecting Internet Explorer (IE). On October 19, 2006, Microsoft indicated that the vulnerability resides in a component of Outlook Express and not IE. However, IE can be used as an attack vector.]

Impact: A remote user can create HTML that, when loaded by the target user, will run in one domain but will be able to access content from an arbitrary, different domain.

Vendor URL: www.microsoft.com/technet/security/bulletin/ms07-034.mspx (Links to External Site)

Cause: Access control error

Underlying OS: Windows (Any)

Message History: None.

Source Message Contents

Date: Thu, 27 Apr 2006 18:04:27 -0400
Subject: Microsoft Internet Explorer (IE) vulnerability

 
 
Secunia posted a test based on proof-of-concept code, reportedly by 'codedreamer':
 
http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2007, SecurityGlobal.net LLC