Microsoft Internet Explorer Input Validation Hole Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1018192|
SecurityTracker URL: http://securitytracker.com/id/1018192
(Links to External Site)
Updated: May 12 2008|
Original Entry Date: Jun 5 2007
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Exploit Included: Yes |
Version(s): 6, 7|
A vulnerability was reported in Microsoft Internet Explorer. A remote user can conduct cross-domain scripting attacks.|
This can be exploited to set or read cookies, read or modify form submissions, execute scripting code, and read or write DOM objects that have not be fully initialized.
A demonstration exploit is available at:
Michal Zalewski discovered this vulnerability.
A remote user can conduct cross-domain scripting attacks.|
No solution was available at the time of this entry.|
Vendor URL: www.microsoft.com/ (Links to External Site)
Input validation error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: Assorted browser vulnerabilities|
Will keep it brief. A couple of browser bugs, fresh from the oven, hand
crafted with love:
1) Title : MSIE page update race condition (CRITICAL)
Impact : cookie stealing / setting, page hijacking, memory corruption
Demo : http://lcamtuf.coredump.cx/ierace/
...aka the bait & switch vulnerability.
that meets same-domain origin policy (and hence can be scriptually
accessed and modified by the attacker) to an unrelated third-party
site, there is a window of opportunity for concurrently executed
but actual content for the newly loaded page, for example:
- Read or set victim.document.cookie,
- Arbitrarily alter document DOM, including changing form submission
URLs, injecting code,
- Read or write DOM structures that were not fully initialized,
prompting memory corruption and browser crash.
This is tested on MSIE6 and MSIE7, fully patched.
2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
Impact : keyboard snooping, content spoofing, etc
Demo : http://lcamtuf.coredump.cx/ifsnatch/
Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=382686 [May 30]
event handlers, on pages that rely on IFRAMEs to display contents or
store state data / communicate with the server.
This is related to a less severe variant independently reported by
Ronen Zilberman two weeks earlier (bug 381300).
3) Title : Firefox file prompt delay bypass (MEDIUM)
Impact : non-consentual download or execution of files
Demo : http://lcamtuf.coredump.cx/ffclick2/
Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=376473 [Apr 04]
A sequence of blur/focus operations can be used to bypass delay timers
implemented on certain Firefox confirmation dialogs, possibly enabling
the attacker to download or run files without user's knowledge or
3) Title : MSIE6 URL bar spoofing (MEDIUM)
Impact : mimicking an arbitrary site, possibly including SSL data
Demo : http://lcamtuf.coredump.cx/ietrap2/
MSIE6 vulnerability, similar but unrelated to my earlier onUnload
entrapment flaw, allows sites to spoof URL bar data.
MSIE7 is not affected because of certain high-level changes in the