SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
(How to Test for this Vulnerability) Re: Microsoft Internet Explorer Has Fixed Security Zone for about: URLs and Has Shared Cookie Flaw That Diminishes Cross-Site Scripting Protections
SecurityTracker Alert ID:  1002719
SecurityTracker URL:  http://securitytracker.com/id/1002719
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 9 2001
Impact:   Execution of arbitrary code via network

Version(s): IE on Windows, all versions believed to be vulnerable; The following versions were tested: 4.72.3612.1713 (SP2; 3283), 5.00.3315.1000 (SP2), 5.50.4522.1800, 6.0.2600.0000.
Description:   A vulnerability was reported in Microsoft Internet Explorer (IE). It is reported that the "about:" URL is always considered part of the Internet security zone and that it has a shared global cookie flaw that allows different sites to access "about:" page cookies. This could facilitate cross-site scripting attacks.

Microsoft Internet Explorer reportedly contains a vulnerability that allows a malicious website to access any cookie in the browser's memory or on disk. For a description of the vulnerability, see the Message History for the original report or for the vendor's advisory.

A user has provided a web page that can reportedly be used for testing the vulnerability:

http://www.solutions.fi/iebug/

Impact:   A malicious web page in a user's Restricted security zone could cause Javascript to be executed in the Internet security zone, circumventing Restricted zone protections.
Solution:   No vendor solution was available at the time of this entry. The author of the report provides the following workaround and recommendations:

"Disable scripting in the Internet Zone.

Web Sites that accept user-submitted content *must* filter out about: URLs just as they should filter out 'javascript:' and 'vbscript:' ones.*** It's probably a good idea to disallow all protocol not known-good (http[s], ftp, etc.) as there may be other protocols which present a risk."

Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   State error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Oct 20 2001 Microsoft Internet Explorer Has Fixed Security Zone for about: URLs and Has Shared Cookie Flaw That Diminishes Cross-Site Scripting Protections



 Source Message Contents

Date:  Thu, 8 Nov 2001 15:32:54 +0200 (EET)
Subject:  Microsoft IE cookies readable via about: URLS



Microsoft Internet Explorer has a vulnerability which allows a malicious
website to access any cookie in the browser's memory or those stored on
disk. Cookies are used by web sites for storing preferences, statistics
and tracking users, but also for storing more sensitive information such
as session keys and even usernames and passwords. Cookies are used by
many (probably most) online banks, webmail systems, and other sites
requiring user authentication.

Access to cookies may allow an attacker to retrieve passwords or other
sensitive information, or hijack authenticated web sessions.

What makes this possible are certain features of "about:" URL handling of
IE. For some reason, an URL starting with "about:" can contain html code
that will be interpreted by the browser. For instance entering the URL
"about:<h1>hello</h1>" brings up a page with the heading "hello". The URL
may contain JavaScript as well. Going to the following location with IE
causes an alert box to be displayed:

about:<script language=JavaScript>alert('ALERT');</script>

Finally, the about URL may have a hostname placed after the colon, and IE
uses that hostname when determining the cookies to use:

about://www.anydomain.fi/<script language=JavaScript>alert(document.cookie);</script>

The above URL would result in IE displaying cookies of www.anydomain.fi
in the alert box, assuming that the site has been visited and it has set
a cookie which hasn't expired.

A malicious website can have a piece of JavaScript redirecting the
browser to an about: URL similar to the one above, and do anything with
the cookie information of any selected domain. Instead of showing an
alert box, the JavaScript code might just pass the cookie contents to a
script or a CGI program which could quietly store the information to a
file and then redirect the browser elsewhere or show some seemingly
harmless web content.

A web page for testing the vulnerability can be found at

http://www.solutions.fi/iebug/

You can type in an address of a website that uses cookies, (without
"http://") and it will tell you if your browser is vulnerable to the
problem. For a relatively harmless test case try typing the address
www.google.com in the box (assuming you've visited Google before).

At least IE versions 6 and 5.50 appear to be vulnerable, but it looks
like some older versions like 5.00 isn't, at least in the way described
above. It interprets the html and JavaScript, but doesn't have any cookie
data in document.cookie.

A vulnerability with the same impact came public in May 2000, see
http://www.peacefire.org/security/iecookies/.

Microsoft was contacted November 1st. Their response was quick and they
are producing a patch to be released soon (if not already released).
Until then, you can protect yourself from the vulnerability by disabling
cookies (at Tools -> Internet options -> Security -> Customize) or by
switching to another browser such as Opera or Netscape, which don't
appear to have the same about: URL features.



-- 
Jouko Pynnonen          Online Solutions Ltd      Secure your Linux -
jouko@solutions.fi                                http://www.secmod.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC