Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Microsoft Internet Explorer Has Fixed Security Zone for about: URLs and Has Shared Cookie Flaw That Diminishes Cross-Site Scripting Protections
SecurityTracker Alert ID: 1002595|
SecurityTracker URL: http://securitytracker.com/id/1002595
CAN-2001-0722, CAN-2001-0723, CAN-2001-0724
(Links to External Site)
Updated: Dec 1 2003|
Original Entry Date: Oct 20 2001
Execution of arbitrary code via network|
Exploit Included: Yes |
Version(s): IE on Windows, all versions believed to be vulnerable; The following versions were tested: 4.72.3612.1713 (SP2; 3283), 5.00.3315.1000 (SP2), 5.50.4522.1800, 6.0.2600.0000.|
A vulnerability was reported in Microsoft Internet Explorer (IE). It is reported that the "about:" URL is always considered part of the Internet security zone and that it has a shared global cookie flaw that allows different sites to access "about:" page cookies. This could facilitate cross-site scripting attacks.|
If a remote web site or HTML-based e-mail includes a link to an "about:" page that is not known to IE, the browser will echo the "about:" string exactly on the page. All "about:" pages are reportedly considered to be in the browser's Internet Zone. As a result, web sites in the Restricted Zone can link to an "about:" page to inject malicious scripting content that would not otherwise be permitted and cause the code to be executed on the browser.
In addition, cookies can be stored for "about:" pages in IE 5.5 and IE 6. Due to a flaw in the way IE parses "about:" URLs, different sites can pass shared cookies. It is reported that IE incorrectly applies HTTP-style URL parsing to "about:" URLs such that a URL that contains a "?" character is only analyzed up to the "?" character when determining uniqueness of the URL. So, any URL that begins with "about:?" will be considered to be the same URL in determining cookie access.
A demonstration exploit is described in the Source Message. The author of the report notes that only IE5.5 and IE6 were able to store cookies for "about:" pages, so the exploit did not work on IE4 and IE5.0.
The author of the report also notes that this may be considered a "minor vulnerability."
No vendor solution was available at the time of this entry. The author of the report provides the following workaround and recommendations:|
"Disable scripting in the Internet Zone.
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|Underlying OS: Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: Minor IE vulnerability: about: URLs|
Zone spoofing? Oh yes, that reminds me. Here's another one.
Affected: Internet Explorer under Windows, up to version 6
Workaround: Disable scripting in the Internet Zone
If an unknown 'about:' name is used, IE echos the string exactly to the
page. So 'about:foo' results in an HTML page containing the word 'foo',
'about:<em>bar</em>' results in a page containing the emphasised word
'bar', and 'about:<script>...</script>' is an obvious security issue.
This amounts to a cross-site-scripting hole (see CERT CA-2000-02) built
into every copy of IE.
'about:' pages are in the Internet Zone; hence, sites in the Restricted
Zone (including HTML e-mail) may, by linking to an 'about' page, inject
and execute content they would not normally be allowed to run.
***Sites that accept user-submitted content *must* filter out about:
ones.*** It's probably a good idea to disallow all protocol not known-
good (http[s], ftp, etc.) as there may be other protocols which present
Cookies can be stored for 'about:' pages in newer versions of IE. This
allows any site to store and read cookies from a shared location,
circumventing the normal restriction that sites may not pass cookies to
[Each 'about:' page is considered different so if we were to write
that cookie would only be readable from the same URL, which would only
give us a one-bit store for each URL. We can get around this by noting
that IE incorrectly applies HTTP-style URL parsing to 'about:' URLs -
one consequence of which is that if you include a question mark in the
URL, only the part of the URL before the ? is considered part of the
unique page name.]
Global shared cookie store. Cookies are deliberately designed to
disallow sharing between sites, through restrictions on the 'path'
setting. These pages, however, can read each other's cookies:
Of course they could do so with a lot more subtlety, hiding from
the user using techniques like invisible frames, transparent
Assume all versions of IE/Win are vulnerable. Status of IE under other
platforms is unknown. Versions tested:
4.72.3612.1713 (SP2; 3283)
However, only IE5.5 and IE6 seemed able to store cookies for about:
pages; the exploit did not work on IE4 and IE5.0.
Vendor response: Probably won'tfix.
A Microsoft chap pointed out that sites can already break out of the
Restricted Sites Zone, simply by pointing at another site that is
not in that Zone.
(Cookies could similarly be shared by creating a 'cookie aggregator'
site which could be redirected to in order to set the desired cookie
and return to the originating site with a copy of all cookies set
by different sites.)
My response: in both cases, the 'rogue' site being redirected to can
also be put in the Restricted Sites Zone to stop it. This is not the
case with about: URLs, which are always in the Internet Zone and
cannot be changed. External sites can also be foiled through
firewalling and local blackhole routing, which about: cannot.
Unlike external sites, about: URLs are processed instantaneously,
making the user much less likely to notice them. Finally, an external
cookie aggregator site would be subject to privacy policies and laws,
which about: URLs cannot be.
I think it is a shame that the usefulness of the Restricted Sites
Zone feature and the locality restrictions on cookies are compromised
in favour of a feature (about:something generating a page with
'something' on) that is undocumented, non-standard, little-known and
of no conceivable legitimate use whatsoever.
But your mileage may vary. Make sure your web apps aren't
Go to the Top of This SecurityTracker Archive Page