[NT] SaveRef Breaks Internet Explorer's Security Architecture
From: support@securiteam.comDate: 10/21/02
- Previous message: support@securiteam.com: "[UNIX] kmMail Cross Site Scripting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 21 Oct 2002 18:52:35 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
SaveRef Breaks Internet Explorer's Security Architecture
------------------------------------------------------------------------
SUMMARY
A security vulnerability in Internet Explorer allows a remote attackers to
call a "(VictimWindow).document.write"'s regardless of its zone as long as
you have its reference. This means an attacker can spawn a new window get
it to access for example eBay, and then using the write command, insert
additional code that will be executed in the same domain of eBay.
DETAILS
By saving a reference of "(NewWindow).document.write" while the zone of
"(NewWindow)" is still yours, will allow you to then reference it again
even if its zone has changed.
This vulnerability is similar to the SaveRef vulnerability Georgi Guninski
found, where a reference to (victimWindow).document was saved. It appears
the Microsoft only fixed the vulnerability by implementing a security
checked for the "document" entity.
Demonstration:
A demo is available (outside SecurITeam's site):
<http://www16.brinkster.com/liudieyu/SaveRef_DocumentWrite/SaveRef_DocumentWrite-MyPage.htm> http://www16.brinkster.com/liudieyu/SaveRef_DocumentWrite/SaveRef_DocumentWrite-MyPage.htm
Or
<http://clik.to/liudieyu> http://clik.to/liudieyu ==>
SaveRef_DocumentWrite-MyPage section.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:liudieyuinchina@yahoo.com.cn> Liu Die Yu.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] kmMail Cross Site Scripting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- Re: Deploying multiple EXEs using the basic publish mechanism of
... I unchecked Enable clickonce security in all the projects that I wanted to reference
in the man project. ... when I did attempt to publish a referenced project publishing turned the
Enable click once security option back on! ... Reference APP 2 in APP1 via the project
tab, ... (microsoft.public.dotnet.general) - [UNIX] DCP-Portal Cross-Site Scripting
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A security vulnerability
in the product allows ... the members page, this CSS vulnerability will take effect. ...
(Securiteam) - [UNIX] Sensitive Information Disclosure Vulnerability Found in SIPS (PHP)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A security vulnerability
in the product allows attackers to get access to ... In no event shall we be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business profits or special
damages. ... (Securiteam) - [NT] DoS Vulnerability Found in VisNetic ActiveDefense
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... exploitable denial of service
vulnerability has been found in the product ... * VisNetic ActiveDefense version 1.3.1
and early ... (Securiteam) - [NT] Zaep AntiSpam Cross Site Scripting
... The following security advisory is sent to the securiteam mailing list, and can be found at
the SecuriTeam web site: http://www.securiteam.com ... Get your security news from
a reliable source. ... Beyond Security has discovered a security vulnerability in ...
Zaep AntiSpam 2.0, ... (Securiteam)
