[NT] Cross-Frame Security Zone Spoofing in Internet Explorer Using the 'About' Protocol
From: support@securiteam.comDate: 12/13/01
- Previous message: support@securiteam.com: "[TOOL] MHW, Macintosh Hacker's Workshop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 13 Dec 2001 20:03:57 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Cross-Frame Security Zone Spoofing in Internet Explorer Using the 'About'
Protocol
------------------------------------------------------------------------
SUMMARY
By appending a simple percent sign after an 'about' URL that has opened in
a window you can access some elements of the previous document's object
model.
This means that you can run a script in the security context of "My
Computer" or "Trust Sites" and embed IFRAMES (text/x-scriptlet objects)
from varying domains and protocols while the Security Zone still reads "My
Computer" or "Trusted Sites". The limitations in this exploit are from the
about pluggable protocols security restrictions and security restrictions
on embedded objects within this protocol (if you have the latest patches).
DETAILS
Vulnerable systems:
Internet Explorer version 6.0.2600.0000
Internet Explorer version 5.50.4134.0100
Exploits:
All exploit code is available from:
<http://www.osioniusx.com> http://www.osioniusx.com
"trustedSites.html" - Opens an about page in a trusted zone and navigates
to a JavaScript URL while remaining in the Trusted Zone.
"Domains.html" - Opens two remote sites up in IFRAMES while remaining in
the My Computer Zone (instead of mixed). You could just as well open up
hta, .vbs, even .bat files in this manner.
"MyComputer.html" - Opens about page in My Computer zone and navigates to
a JavaScript URL.
ADDITIONAL INFORMATION
The information has been provided by <mailto:osioniusx@yahoo.com> the
Pull.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] MHW, Macintosh Hacker's Workshop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
