SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
(Vendor Issues Fix) Microsoft Internet Explorer May Let Remote Users Read or Write Files Via the dragDrop() Method
SecurityTracker Alert ID:  1008904
SecurityTracker URL:  http://securitytracker.com/id/1008904
CVE Reference:   CVE-2003-1027   (Links to External Site)
Date:  Feb 3 2004
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.01, 5.5, 6
Description:   A vulnerability was reported in Microsoft Internet Explorer. A remote user can create malicious code that will effect the dragging and dropping of arbitrary HTML.

Jelmer reported a vulnerability in the dragDrop() method. According to the report, a remote user can create malicious HTML that, when activated by the target user with the mouse down action ("handleOnmousedown()"), will drop arbitrary text into an HTML upload control [CVE: CVE-2003-0823]. This reportedly allows a remote user to read or write arbitrary specified files to/from the target user's system with the privileges of the target user.

A demonstration exploit page is available at:

http://kuperus.xs4all.nl/security/ie/xfiles.htm

On November 11, 2003, Microsoft issued a fix that appeared to address this flaw reported by Jelmer.

On November 16, 2003, Liu Die Yu reported that a remote user can invoke method caching (i.e., "SaveRef") to tranform a click event (e.g., mousedown, mouseup) to a drag-and-drop event (e.g., mousedown, mousemove, mouseup) even if the MS03-048 patch is applied [CVE: CVE-2003-1027].

Impact:   A remote user can read arbitrary specified files on the target user's system if the target user clicks on an apparent link.

A remote user can place a file containing arbitrary contents on the target user's system when the user clicks on a link.

Solution:   Microsoft has issued the following fixes:

Internet Explorer 6 Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=70530968-B59A-47C0-90D3-0C884910BC97&displaylang=en

Internet Explorer 6 Service Pack 1 (64-Bit Edition):

http://www.microsoft.com/downloads/details.aspx?FamilyId=326EFFDA-8D86-4683-BC77-9BF410BC620D&displaylang=en

Internet Explorer 6 for Windows Server 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=D78AE4F7-8852-4A04-B8F6-1DE327E598F0&displaylang=en

Internet Explorer 6 for Windows Server 2003 (64-Bit Edition):

http://www.microsoft.com/downloads/details.aspx?FamilyId=6A7894F0-789F-4152-9AE4-8DCB43404149&displaylang=en

Internet Explorer 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=BE0C18BC-7F9A-4196-BFDE-29EBA8CF7A50&displaylang=en

Internet Explorer 5.5 Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=EFFE87F6-7ACA-4A54-B767-5597DDE95C6F&displaylang=en

Internet Explorer 5.01 Service Pack 4:

http://www.microsoft.com/downloads/details.aspx?FamilyId=F5E74139-6E0E-49FD-9AA2-36D2D8454A92&displaylang=en

Internet Explorer 5.01 Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?FamilyId=202D3AAC-6B56-4F4A-8C0F-4183C77B6B51&displaylang=en

Internet Explorer 5.01 Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=17904608-DCEE-4C99-A780-81D6DBC48DD5&displaylang=en


Microsoft reminds customers that this cumulative update (as in the previous cumulative updates) will cause the window.showHelp( ) control to no longer work unless you have applied the HTML Help update. See Microsoft Knowledge Base article 811630 for more information.

The Internet Explorer 6 Service Pack 1 (SP1) version of this update must be installed on Internet Explorer 6 SP1 (version 6.00.2800.1106) on one of the following versions of Windows:

* Microsoft Windows NT Workstation 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Terminal Server Edition, Service Pack 6
* Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
* Microsoft Windows XP
* Microsoft Windows XP Service Pack 1
* Microsoft Windows XP 64-Bit Edition, Service Pack 1

The Internet Explorer 6 for Windows Server 2003 version of this update must be installed on Internet Explorer 6 (version 6.00.3790.0000) on Windows Server 2003 (32-bit or 64-bit) or on Internet Explorer 6 (version 6.00.3790.0000) on Windows XP 64-Bit Edition, Version 2003.

The Internet Explorer 6 version of this update must be installed on Internet Explorer 6 (version 6.00.2600.0000) on a 32-bit version of Windows XP.

The Internet Explorer 5.5 version of this update must be installed on Internet Explorer 5.5 Service Pack 2 (version 5.50.4807.2300) on Microsoft Windows Millennium Edition.

The Internet Explorer 5.01 version of this update must be installed on one of the following:

* Internet Explorer 5.01 Service Pack 4 (version 5.00.3700.1000) on Windows 2000 SP4
* Internet Explorer 5.01 Service Pack 3 (version 5.00.3502.1000) on Windows 2000 SP3
* Internet Explorer 5.01 Service Pack 2 (version 5.00.3315.1000) on Windows 2000 SP2

This update requires you to reboot your system after installation.

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS04-004.asp (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   This archive entry is a follow-up to the message listed below.
Feb 3 2003 Microsoft Internet Explorer May Let Remote Users Read or Write Files Via the dragDrop() Method



 Source Message Contents

Subject:  http://www.microsoft.com/technet/security/bulletin/MS04-004.asp


http://www.microsoft.com/technet/security/bulletin/MS04-004.asp

 > Microsoft Security Bulletin MS04-004
 > Cumulative Security Update for Internet Explorer (832894)

 > Impact of vulnerability: Remote Code Execution

 > Maximum Severity Rating: Critical

This update replaces the cumulative update described in Microsoft Security Bulletin MS03-048.

This update affects Windows NT, 2000, 2003, and XP.

This update addresses three newly-discovered vulnerabilities:

   * Travel Log Cross Domain Vulnerability CAN-2003-1026
   * Function Pointer Drag and Drop Vulnerability CAN-2003-1027
   * Improper URL Canonicalization Vulnerability CAN-2003-1025


CAN-2003-1026: Travel Log Cross Domain Vulnerability Could Allow Remote Code Execution

A vulnerability was reported in the processing of the "travel log" (used by the History 
tab) that allows cross-site scripting attacks.  A remote user can reportedly inject 
specially crafted scripting code so that when a target user loads an affected URL from the 
travel log, arbitrary scripting code will be executed.  The code will run in the security 
context of the target user.  A remote user can cause an executable on the target user's 
system to run.

Microsoft credits Andreas Sandblad for reporting this vulnerability.



CAN-2003-1027: Function Pointer Drag and Drop Operation Vulnerability Could Allow 
Arbitrary Code to be Saved on User's System

It is reported that a remote user can create HTML that will invoke a drag and drop event 
in Internet Explorer to save a file on the target user's system when the target user 
clicks on a specially crafted link.

CAN-2003-1025: Improper URL Canonicalization Vulnerability Could Allow Attacker to Spoof 
Websites

Microsoft confirmed the previously disclosed address bar vulnerability.

As previously reported by Microsoft, this update removes support for handling user names 
and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft 
Internet Explorer. The following URL syntax will no longer be supported in Internet 
Explorer or Windows Explorer:

         http(s)://username:password@server/resource.ext

More information about this is available in Microsoft Knowledge Base article 834489.

Microsoft adds that the syntax "username:password@host.com" will also not be supported in 
URLs for XMLHTTP.


---

IE 5.01, 5.5, and 6 are affected.  The following updates are available:

Internet Explorer 6 Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=70530968-B59A-47C0-90D3-0C884910BC97&displaylang=en

Internet Explorer 6 Service Pack 1 (64-Bit Edition):

http://www.microsoft.com/downloads/details.aspx?FamilyId=326EFFDA-8D86-4683-BC77-9BF410BC620D&displaylang=en

Internet Explorer 6 for Windows Server 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=D78AE4F7-8852-4A04-B8F6-1DE327E598F0&displaylang=en

Internet Explorer 6 for Windows Server 2003 (64-Bit Edition):

http://www.microsoft.com/downloads/details.aspx?FamilyId=6A7894F0-789F-4152-9AE4-8DCB43404149&displaylang=en

Internet Explorer 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=BE0C18BC-7F9A-4196-BFDE-29EBA8CF7A50&displaylang=en

Internet Explorer 5.5 Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=EFFE87F6-7ACA-4A54-B767-5597DDE95C6F&displaylang=en

Internet Explorer 5.01 Service Pack 4:

http://www.microsoft.com/downloads/details.aspx?FamilyId=F5E74139-6E0E-49FD-9AA2-36D2D8454A92&displaylang=en

Internet Explorer 5.01 Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?FamilyId=202D3AAC-6B56-4F4A-8C0F-4183C77B6B51&displaylang=en

Internet Explorer 5.01 Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=17904608-DCEE-4C99-A780-81D6DBC48DD5&displaylang=en


Microsoft reminds customers that this cumulative update (as in the previous cumulative 
updates) will cause the window.showHelp( ) control to no longer work unless you have 
applied the HTML Help update.  See Microsoft Knowledge Base article 811630 for more 
information.


The  Internet Explorer 6 Service Pack 1 (SP1) version of this update must be installed on 
Internet Explorer 6 SP1 (version 6.00.2800.1106) on one of the following versions of Windows:

             * Microsoft Windows NT Server 4.0 Service Pack 6a
             * Microsoft Windows NT Server 4.0 Terminal Server Edition, Service Pack 6
             * Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
             * Microsoft Windows XP
             * Microsoft Windows XP Service Pack 1
             * Microsoft Windows XP 64-Bit Edition, Service Pack 1

The Internet Explorer 6 for Windows Server 2003 version of this update must be installed 
on Internet Explorer 6 (version 6.00.3790.0000) on Windows Server 2003 (32-bit or 64-bit) 
or on Internet Explorer 6 (version 6.00.3790.0000) on Windows XP 64-Bit Edition, Version 2003.

The Internet Explorer 6 version of this update must be installed on Internet Explorer 6 
(version 6.00.2600.0000) on a 32-bit version of Windows XP.

The Internet Explorer 5.5 version of this update must be installed on Internet Explorer 
5.5 Service Pack 2 (version 5.50.4807.2300) on Microsoft Windows Millennium Edition

The Internet Explorer 5.01 version of this update must be installed on one of the following:

   * Internet Explorer 5.01 Service Pack 4 (version 5.00.3700.1000) on Windows 2000 SP4
   * Internet Explorer 5.01 Service Pack 3 (version 5.00.3502.1000) on Windows 2000 SP3
   * Internet Explorer 5.01 Service Pack 2 (version 5.00.3315.1000) on Windows 2000 SP2


This update requires you to reboot your system after installation.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC