SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
Microsoft Internet Explorer Has Fixed Security Zone for about: URLs and Has Shared Cookie Flaw That Diminishes Cross-Site Scripting Protections
SecurityTracker Alert ID:  1002595
SecurityTracker URL:  http://securitytracker.com/id/1002595
CVE Reference:   CAN-2001-0722, CAN-2001-0723, CAN-2001-0724   (Links to External Site)
Updated:  Dec 1 2003
Original Entry Date:  Oct 20 2001
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): IE on Windows, all versions believed to be vulnerable; The following versions were tested: 4.72.3612.1713 (SP2; 3283), 5.00.3315.1000 (SP2), 5.50.4522.1800, 6.0.2600.0000.
Description:   A vulnerability was reported in Microsoft Internet Explorer (IE). It is reported that the "about:" URL is always considered part of the Internet security zone and that it has a shared global cookie flaw that allows different sites to access "about:" page cookies. This could facilitate cross-site scripting attacks.

If a remote web site or HTML-based e-mail includes a link to an "about:" page that is not known to IE, the browser will echo the "about:" string exactly on the page. All "about:" pages are reportedly considered to be in the browser's Internet Zone. As a result, web sites in the Restricted Zone can link to an "about:" page to inject malicious scripting content that would not otherwise be permitted and cause the code to be executed on the browser.

In addition, cookies can be stored for "about:" pages in IE 5.5 and IE 6. Due to a flaw in the way IE parses "about:" URLs, different sites can pass shared cookies. It is reported that IE incorrectly applies HTTP-style URL parsing to "about:" URLs such that a URL that contains a "?" character is only analyzed up to the "?" character when determining uniqueness of the URL. So, any URL that begins with "about:?" will be considered to be the same URL in determining cookie access.

A demonstration exploit is described in the Source Message. The author of the report notes that only IE5.5 and IE6 were able to store cookies for "about:" pages, so the exploit did not work on IE4 and IE5.0.

The author of the report also notes that this may be considered a "minor vulnerability."

Impact:   A malicious web page in a user's Restricted security zone could cause Javascript to be executed in the Internet security zone, circumventing Restricted zone protections.
Solution:   No vendor solution was available at the time of this entry. The author of the report provides the following workaround and recommendations:

"Disable scripting in the Internet Zone.

Web Sites that accept user-submitted content *must* filter out about: URLs just as they should filter out 'javascript:' and 'vbscript:' ones.*** It's probably a good idea to disallow all protocol not known-good (http[s], ftp, etc.) as there may be other protocols which present a risk."

Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   State error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(A User Provides a Workaround) Re: Microsoft Internet Explorer Has Fixed Security Zone for about: URLs and Has Shared Cookie Flaw That Diminishes Cross-Site Scripting Protections   ("Clover Andrew" <aclover@1value.com>)
A user has provided a workaround.
(Microsoft Issues Warning and Describes a Workaround) Microsoft Internet Explorer Has Fixed Security Zone for about: URLs and Has Shared Cookie Flaw That Diminishes Cross-Site Scripting Protections   (Microsoft Product Security <secnotif@MICROSOFT.COM>)
The vendor has issued a warning and described a workaround while a patch is being prepared.
(How to Test for this Vulnerability) Re: Microsoft Internet Explorer Has Fixed Security Zone for about: URLs and Has Shared Cookie Flaw That Diminishes Cross-Site Scripting Protections   (Jouko Pynnonen <jouko@solutions.fi>)
A user describes how to test for this vulnerability.
(Microsoft Issues Fix) Microsoft Internet Explorer Has Fixed Security Zone for about: URLs and Has Shared Cookie Flaw That Diminishes Cross-Site Scripting Protections   (Microsoft Product Security <secnotif@MICROSOFT.COM>)
The vendor has released a fix.



 Source Message Contents

Date:  Fri, 19 Oct 2001 17:13:55 +0200
Subject:  Minor IE vulnerability: about: URLs


Zone spoofing? Oh yes, that reminds me. Here's another one.

Affected: Internet Explorer under Windows, up to version 6
Risk: Low
Workaround: Disable scripting in the Internet Zone

Problem:

If an unknown 'about:' name is used, IE echos the string exactly to the
page. So 'about:foo' results in an HTML page containing the word 'foo',
'about:<em>bar</em>' results in a page containing the emphasised word
'bar', and 'about:<script>...</script>' is an obvious security issue.

This amounts to a cross-site-scripting hole (see CERT CA-2000-02) built
into every copy of IE.


Consequences:

'about:' pages are in the Internet Zone; hence, sites in the Restricted
Zone (including HTML e-mail) may, by linking to an 'about' page, inject
and execute content they would not normally be allowed to run.

***Sites that accept user-submitted content *must* filter out about:
URLs just as they should filter out 'javascript:' and 'vbscript:'
ones.*** It's probably a good idea to disallow all protocol not known-
good (http[s], ftp, etc.) as there may be other protocols which present
a risk.

Cookies can be stored for 'about:' pages in newer versions of IE. This
allows any site to store and read cookies from a shared location,
circumventing the normal restriction that sites may not pass cookies to
each other.

[Each 'about:' page is considered different so if we were to write
'about:<script>alert(document.cookie);document.cookie='a=b'</script>',
that cookie would only be readable from the same URL, which would only
give us a one-bit store for each URL. We can get around this by noting
that IE incorrectly applies HTTP-style URL parsing to 'about:' URLs -
one consequence of which is that if you include a question mark in the
URL, only the part of the URL before the ? is considered part of the
unique page name.]


Exploit:

Global shared cookie store. Cookies are deliberately designed to
disallow sharing between sites, through restrictions on the 'path'
setting. These pages, however, can read each other's cookies:

  http://and.doxdesk.com/transfer/vuln.html
  http://www.1value.com/transfer/vuln.html

Of course they could do so with a lot more subtlety, hiding from
the user using techniques like invisible frames, transparent
redirects, etc. 


Versions:

Assume all versions of IE/Win are vulnerable. Status of IE under other
platforms is unknown. Versions tested:

4.72.3612.1713 (SP2; 3283)
5.00.3315.1000 (SP2)
5.50.4522.1800
6.0.2600.0000

However, only IE5.5 and IE6 seemed able to store cookies for about:
pages; the exploit did not work on IE4 and IE5.0.


Vendor response: Probably won'tfix.

A Microsoft chap pointed out that sites can already break out of the
Restricted Sites Zone, simply by pointing at another site that is
not in that Zone.

(Cookies could similarly be shared by creating a 'cookie aggregator'
site which could be redirected to in order to set the desired cookie
and return to the originating site with a copy of all cookies set
by different sites.)

My response: in both cases, the 'rogue' site being redirected to can
also be put in the Restricted Sites Zone to stop it. This is not the
case with about: URLs, which are always in the Internet Zone and
cannot be changed. External sites can also be foiled through
firewalling and local blackhole routing, which about: cannot.
Unlike external sites, about: URLs are processed instantaneously,
making the user much less likely to notice them. Finally, an external
cookie aggregator site would be subject to privacy policies and laws,
which about: URLs cannot be.

I think it is a shame that the usefulness of the Restricted Sites
Zone feature and the locality restrictions on cookies are compromised
in favour of a feature (about:something generating a page with
'something' on) that is undocumented, non-standard, little-known and
of no conceivable legitimate use whatsoever.

But your mileage may vary. Make sure your web apps aren't
exploitable, anyway.

-- 
Andrew Clover
Technical Consultant
1VALUE.com AG

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC