Multiple Vulnerabilities in Microsoft Internet Explorer - 20 Jun 2003

Reported June 17, 2003, by GreyMagic Security Research.





·Microsoft Internet Explorer (IE) 6.0, 5.5, and 5.01





Two new vulnerabilities in Microsoft IE can result in the execution of arbitrary code on the vulnerable system. These two vulnerabilities consist of the following:


· A cross site scripting vulnerability results from IE not filtering a displayed URL properly and might cause the browser to render HTML passed in the querystring of the URL.

· A script-injection vulnerability results from a flaw in a common function that internal resources use. An attacker can exploit this flaw to execute script commands in the My Computer zone.


For detailed information about these vulnerabilities, see the discoverer’s web site.



The discoverer posted the following demonstrations as proof of concept:

Cross-Site Scripting in Unparsable XML Files

This sample shows the basic URL for injecting content:


Script Injection to Custom HTTP Errors in Local Zone:

This URL will cause the resource to output a "javascript:" link to the document, which will execute when the user clicks on it:


Copy and paste the above URL in your browser, then click the red link in order to test it.



Microsoft was notified on February 20, 2003, but hasn't released a fix for these problems.



Discovered by Grey Magic Security Research.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.