Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
Microsoft Internet Explorer Input Validation Hole Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1018192
SecurityTracker URL:
CVE Reference:   CVE-2007-3091   (Links to External Site)
Updated:  May 12 2008
Original Entry Date:  Jun 5 2007
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 6, 7
Description:   A vulnerability was reported in Microsoft Internet Explorer. A remote user can conduct cross-domain scripting attacks.

A remote user can exploit a race condition when Javascript code navigates the browser to a different domain to cause scripting code on the new page to run in the security context of the original domain.

This can be exploited to set or read cookies, read or modify form submissions, execute scripting code, and read or write DOM objects that have not be fully initialized.

A demonstration exploit is available at:

Michal Zalewski discovered this vulnerability.

Impact:   A remote user can conduct cross-domain scripting attacks.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Assorted browser vulnerabilities


Will keep it brief. A couple of browser bugs, fresh from the oven, hand
crafted with love:

1) Title    : MSIE page update race condition (CRITICAL)
   Impact   : cookie stealing / setting, page hijacking, memory corruption
   Demo     :

   ...aka the bait & switch vulnerability.

   When Javascript code instructs MSIE6/7 to navigate away from a page
   that meets same-domain origin policy (and hence can be scriptually
   accessed and modified by the attacker) to an unrelated third-party
   site, there is a window of opportunity for concurrently executed
   Javascript to perform actions with the permissions for the old page,
   but actual content for the newly loaded page, for example:

     - Read or set victim.document.cookie,

     - Arbitrarily alter document DOM, including changing form submission
       URLs, injecting code,

     - Read or write DOM structures that were not fully initialized,
       prompting memory corruption and browser crash.

   This is tested on MSIE6 and MSIE7, fully patched.

2) Title    : Firefox Cross-site IFRAME hijacking (MAJOR)
   Impact   : keyboard snooping, content spoofing, etc
   Demo     :
   Bugzilla : [May 30]

   Javascript can be used to inject malicious code, including key-snooping
   event handlers, on pages that rely on IFRAMEs to display contents or
   store state data / communicate with the server.

   This is related to a less severe variant independently reported by
   Ronen Zilberman two weeks earlier (bug 381300).

3) Title    : Firefox file prompt delay bypass (MEDIUM)
   Impact   : non-consentual download or execution of files
   Demo     :
   Bugzilla : [Apr 04]

   A sequence of blur/focus operations can be used to bypass delay timers
   implemented on certain Firefox confirmation dialogs, possibly enabling
   the attacker to download or run files without user's knowledge or

3) Title    : MSIE6 URL bar spoofing (MEDIUM)
   Impact   : mimicking an arbitrary site, possibly including SSL data
   Demo     :

   MSIE6 vulnerability, similar but unrelated to my earlier onUnload
   entrapment flaw, allows sites to spoof URL bar data.

   MSIE7 is not affected because of certain high-level changes in the


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC