Suggest A Fix PC Support Forums > MS Alert: IE Java information disclosure flaw

Full Version: MS Alert: IE Java information disclosure flaw

Suggest A Fix PC Support Forums > Security > Security News and Warnings

Interceptor

Aug 1 2002, 07:27 PM

A vulnerability has been reported in several web browser javascript same origin policy implementations, including that for Microsoft IE. A remote user can utilize scripting code that can retrieve intranet web content from a victim's internal network, even when the network is protected by a firewall.
This could be used to access the victim's internal network or sensitive content from the internal network.

Quote:

"The vulnerability is due to a limitation in the IE's same origin policy implementation. This policy is enforced on a hostname basis, creating sandboxes around pages based on a 'document.domain' match. Javascript in one frame of a document can access another frame of the same document as long as the domains of the two frames match.

A remote user with control over an arbitrary DNS zone can create a malicious web page containing javascript to implement the attack. The remote user must get the target user's IE web browser to load a URL on a web site in the DNS domain that the remote user controls (e.g., foo.bar.[host].[domainname]). The javascript in the malicious web page will then set the document.domain to a parent hostname in the same domain (e.g., bar.[host].[domainname]) that actually maps to an IP address of a host on the target user's internal network. According to the report, this is valid because the new domain is a parent of the previous domain.

Then, the malicious javascript loads a page from this new domain (the host on the target user's internal network) into a hidden frame. The code can then access the hidden frame (again, this is permitted because the document.domain value of the two frames is considered a match by the policy) and send the contents back to the remote user via HTTP.

The malicious code can reportedly access arbitrary SOAP or XML-RPC based web services in certain cases (e.g., where the remote user's DNS server has the refresh/expire ttl set to zero, prohibiting caching). On IE, this uses the XMLHTTP ActiveX control."

There is no solution available from Microsoft at this time.

Reported by: Adam Megacz

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.