SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Microsoft Outlook Express Vendors:   Microsoft
Microsoft Outlook Express 'mhtml:' Redirect URL Processing Lets Remote Users Bypass Security Domains
SecurityTracker Alert ID:  1016005
SecurityTracker URL:  http://securitytracker.com/id/1016005
CVE Reference:   CVE-2006-2111   (Links to External Site)
Updated:  Jun 12 2007
Original Entry Date:  Apr 27 2006
Impact:   Modification of system information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6
Description:   A vulnerability was reported in Microsoft Outlook Express. A remote user may be able to access information on behalf of the target user.

The software does not properly process HTTP 302 redirect responses containing 'mhtml:' URLs.

A remote user can create HTML that references a page on a site controlled by the remote user (e.g., 'http://[attacker_site]/page_x'). When the URL is loaded by the target user, the remote user's site will return a specially crafted HTTP 302 Location response that points to a different page (e.g., 'page_y') on the same site controlled by the target user, as shown below:

Location: mhtml:http://[attacker_site]/page_y

When this redirect URL is loaded by the target user's browser, the remote user's site will return another HTTP 302 Location response that, in turn, points to an arbitrary site. Javascript running in the context of the original HTML page can then access content from the arbitrary site with the privileges of the target user, crossing security domain boundaries.

Secunia posted a demonstration exploit based on proof-of-concept code by 'codedreamer':

http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/

[Editor's note: This vulnerability was originally reported as affecting Internet Explorer (IE). On October 19, 2006, Microsoft indicated that the vulnerability resides in a component of Outlook Express and not IE. However, IE can be used as an attack vector.]

Impact:   A remote user can create HTML that, when loaded by the target user, will run in one domain but will be able to access content from an arbitrary, different domain.
Solution:   Microsoft has issued the following fixes as part of a cumulative update for Microsoft Outlook and Windows Mail.

Windows XP Service Pack 2, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=27cca556-0872-4803-b610-4c895ceb99aa

Windows XP Professional x64 Edition, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=1ea813bf-bddb-40f0-8960-b9debc8413e7

Windows XP Professional x64 Edition Service Pack 2, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=1ea813bf-bddb-40f0-8960-b9debc8413e7

Windows Server 2003 Service Pack 1, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=93808a74-035c-4ab7-9283-c693d7bd82be

Windows Server 2003 Service Pack 2, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=93808a74-035c-4ab7-9283-c693d7bd82be

Windows Server 2003 x64 Edition, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=f63323a9-e285-45e5-84bd-71ae9da126e3

Windows Server 2003 x64 Edition Service Pack 2, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=f63323a9-e285-45e5-84bd-71ae9da126e3

Windows Server 2003 with SP1 for Itanium-based Systems, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=2e62e96e-6571-437d-a612-99175ac39025

Windows Server 2003 with SP2 for Itanium-based Systems, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=2e62e96e-6571-437d-a612-99175ac39025

Windows Vista, Windows Mail:

http://www.microsoft.com/downloads/details.aspx?FamilyId=ee57de19-44ea-48f2-ae28-e76fd2018633

Windows Vista x64 Edition, Windows Mail:

http://www.microsoft.com/downloads/details.aspx?FamilyId=343db20f-7794-4423-b11d-885329fbdf78

A restart is not required.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms07-034.mspx

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms07-034.mspx (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC