Cross Site Scripting Vulnerability in Microsoft WebBrowser Control

Reported April 17, 2002, by Thor Larholm.

VERSIONS AFFECTED

 

  • Microsoft Internet Explorer

  • Microsoft Outlook

  • Microsoft Outlook Express

  • All applications that host the WebBrowser control (IE6.0 or newer)

 

DESCRIPTION

A universal cross-site scripting vulnerability exists in Microsoft’s WebBrowser control that an attacker can exploit that can result in elevated privileges and session hijacking of the MSN Messenger client. This vulnerability stems from an error in the validation code in the dialogArguments property. For additional, detailed information, visit the discoverer’s Web site.

 

VENDOR RESPONSE

The vendor, Microsoft, has not released a hotfix or workaround for this vulnerability.

 

CREDIT
Discovered by Thor Larholm.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish