[NT] Additional Details on the Microsoft IE Cookies Exposure via 'About:' URLS
From: support@securiteam.comDate: 11/14/01
- Previous message: support@securiteam.com: "[NEWS] Fingerprinting Port 80 Attacks: A Look into Web Server, and Web Application Attack Signatures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NT] Additional Details on the Microsoft IE Cookies Exposure via 'About:' URLS Message-Id: <20011114205029.7E3C9138BF@mail.der-keiler.de> Date: Wed, 14 Nov 2001 21:50:29 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Additional Details on the Microsoft IE Cookies Exposure via 'About:' URLS
------------------------------------------------------------------------
SUMMARY
As we reported in our previous article:
<http://www.securiteam.com/windowsntfocus/6S00C0A35W.html> Cookie Data in
IE Can Be Exposed or Altered Through Script Injection, a security
vulnerability has been uncovered in the way Internet Explorer handles
JavaScript inside "about:" URLs. The vulnerability gives an attacker
access to the web user's stored cookies.
DETAILS
Microsoft Internet Explorer has a vulnerability that allows a malicious
website to access any cookie in the browser's memory or those stored on
disk. Cookies are used by web sites for storing preferences, statistics
and tracking users, but also for storing more sensitive information such
as session keys and even usernames and passwords. Cookies are used by many
(probably most) online banks, web mail systems, and other sites requiring
user authentication.
Access to cookies may allow an attacker to retrieve passwords or other
sensitive information, or hijack authenticated web sessions.
What makes this possible are certain features of "about:" URL handling of
IE. For some reason, an URL starting with "about:" can contain html code
that will be interpreted by the browser. For instance entering the URL
"about:<h1>hello</h1>" brings up a page with the heading "hello". The URL
may contain JavaScript as well. Going to the following location with IE
causes an alert box to be displayed:
about:<script language=JavaScript>alert('ALERT');</script>
Finally, the about URL may have a hostname placed after the colon, and IE
uses that hostname when determining the cookies to use:
about://www.anydomain.fi/<script
language=JavaScript>alert(document.cookie);</script>
The above URL would result in IE displaying cookies of www.anydomain.fi in
the alert box, assuming that the site has been visited and it has set a
cookie that has not expired.
A malicious website can have a piece of JavaScript redirecting the browser
to an about: URL similar to the one above, and do anything with the cookie
information of any selected domain. Instead of showing an alert box, the
JavaScript code might just pass the cookie contents to a script or a CGI
program which could quietly store the information to a file and then
redirect the browser elsewhere or show some seemingly harmless web
content.
A web page for testing the vulnerability can be found at
<http://www.solutions.fi/iebug/> http://www.solutions.fi/iebug/
You can type in an address of a website that uses cookies, (without
"http://") and it will tell you if your browser is vulnerable to the
problem. For a relatively harmless test case try typing the address
www.google.com in the box, assuming you have visited Google before.
At least IE versions 6 and 5.50 appear to be vulnerable, but it looks like
some older versions as 5.00 are not, at least in the way described above.
It interprets the html and JavaScript, but does not have any cookie data
in document.cookie.
A vulnerability with the same impact came public in May 2000, see:
<http://www.peacefire.org/security/iecookies/>
http://www.peacefire.org/security/iecookies/.
Workaround:
You can protect yourself from the vulnerability by disabling cookies (at
Tools -> Internet options -> Security -> Customize) or by switching to
another browser such as Opera or Netscape, which do not appear to have the
same about: URL features.
Solution:
See our previous article:
<http://www.securiteam.com/windowsntfocus/6S00C0A35W.html> Cookie Data in
IE Can Be Exposed or Altered Through Script Injection
ADDITIONAL INFORMATION
The information has been provided by <mailto:jouko@solutions.fi> Jouko
Pynnonen.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Fingerprinting Port 80 Attacks: A Look into Web Server, and Web Application Attack Signatures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
