SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
(Vendor Issues Fix) Microsoft Internet Explorer May Let Remote Users Read or Write Files Via the dragDrop() Method
SecurityTracker Alert ID:  1013123
SecurityTracker URL:  http://securitytracker.com/id/1013123
CVE Reference:   CVE-2003-0823, CVE-2003-1027   (Links to External Site)
Date:  Feb 8 2005
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Microsoft Internet Explorer. A remote user can create malicious code that will effect the dragging and dropping of arbitrary HTML.

Jelmer reported a vulnerability in the dragDrop() method. According to the report, a remote user can create malicious HTML that, when activated by the target user with the mouse down action ("handleOnmousedown()"), will drop arbitrary text into an HTML upload control [CVE: CVE-2003-0823]. This reportedly allows a remote user to read or write arbitrary specified files to/from the target user's system with the privileges of the target user.

A demonstration exploit page is available at:

http://kuperus.xs4all.nl/security/ie/xfiles.htm

On November 11, 2003, Microsoft issued a fix that appeared to address this flaw reported by Jelmer.

On November 16, 2003, Liu Die Yu reported that a remote user can invoke method caching (i.e., "SaveRef") to tranform a click event (e.g., mousedown, mouseup) to a drag-and-drop event (e.g., mousedown, mousemove, mouseup) even if the MS03-048 patch is applied [CVE: CVE-2003-1027].

Impact:   A remote user can read arbitrary specified files on the target user's system if the target user clicks on an apparent link.

A remote user can place a file containing arbitrary contents on the target user's system when the user clicks on a link.

Solution:   The vendor has issued the following fixes:

Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4:

http://www.microsoft.com/downloads/details.aspx?FamilyId=3B6A6CC1-CCE4-4462-A0D2-E88D38DEF807

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=865B5D9D-FC5B-4F91-A860-2C35A025A907

Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium):

http://www.microsoft.com/downloads/details.aspx?FamilyId=B6DAA99A-6E0B-477D-99E9-5237BCF57762

Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium):

http://www.microsoft.com/downloads/details.aspx?FamilyId=9EE7FF53-20EC-4B75-A255-72DD0AB52FF3

Microsoft Windows Server 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=80AA33F4-E5B0-42A6-844B-F80D6168E25E

Microsoft Windows Server 2003 for Itanium-based Systems:

http://www.microsoft.com/downloads/details.aspx?FamilyId=9EE7FF53-20EC-4B75-A255-72DD0AB52FF3

A restart is required.

Please note that this vulnerability also requires that you apply the cumulative updated described in MS05-014, available at:

http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms05-008.mspx (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (98), Windows (2000), Windows (2003), Windows (XP)
Underlying OS Comments:  98, 2000 SP3 and SP4, 2003, and XP SP1 and SP2

Message History:   This archive entry is a follow-up to the message listed below.
Feb 3 2003 Microsoft Internet Explorer May Let Remote Users Read or Write Files Via the dragDrop() Method



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC