BugTraq
Back to list
|
Post reply
Re: Internet Explorer and Opera local zone restriction bypass
Oct 26 2003 04:57AM
Mohsen Hariri (mohsen_hariri yahoo com)
In-Reply-To: <20031024135303.26267.qmail (at) linuxmail (dot) org [email concealed]>
It worked for me- IE6 on XP-SP1.
but it seems to be a Flash Player MX plugin
bug than IE bug, cause it stores cookies(
flash documents call it SharedObject) on
disk, in a fixed location.
bye
>Subject: Internet Explorer and Opera local zone restriction bypass
>
>Internet Explorer and Opera local zone restriction bypass.
>=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=
>
>----------------------
>Vendor Information:
>----------------------
>
>Homepage : http://www.microsoft.com
>Vendor : informed
>Mailed advisory: 23/10/03
>Vender Response : None yet
>
>
>----------------------
>Affected Versions:
>----------------------
>
>All version of IE 6
>Possibly 5.x too
>
>
>----------------------
>Description:
>----------------------
>
>Microsoft Internet Explorer does not allow local file access by a remote host by default.
>By creating an iframe which points on a specially crafted cgi script (using the location header
>to confuse IE), it is possible to cause IE to execute any local file through the iframe with local
>zone restrictions. This then allows remote arbitrary file execution on the victim without having
>the victim do a thing except load the page.
>Opera seems to not only be affected by this vulnerability, but it also allows direct
>local file access through iframes without any cgi scripts. Unlike IE where it is possible
>to set activex objects to execute arbitrary files, in Opera it is not. There may be a way,
>but I am currently not aware of any.
>
>
>----------------------
>Exploit:
>----------------------
>
>I have created a proof of concept page, but I did not show or explain how the cgi scripts
>nor the flash file work exactly to prevent kiddie abuse.
>
>For IE: http://www.mlsecurity.com/ie/ie.htm
>
>For Opera: <iframe name="abc" src="file:///C:/"></iframe>
>
>----------------------
>Solution:
>----------------------
>
>Check Microsoft's website frequently until a new patch comes out.
>
>----------------------
>Contact:
>----------------------
>
>- Mindwarper
>- mindwarper (at) linuxmail (dot) org [email concealed]
>- http://mlsecurity.com
>
>--
>______________________________________________
>Check out the latest SMS services @ http://www.linuxmail.org
>This allows you to send and receive SMS through your mailbox.
>
>
>Powered by Outblaze
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
It worked for me- IE6 on XP-SP1.
but it seems to be a Flash Player MX plugin
bug than IE bug, cause it stores cookies(
flash documents call it SharedObject) on
disk, in a fixed location.
bye
>Subject: Internet Explorer and Opera local zone restriction bypass
>
>Internet Explorer and Opera local zone restriction bypass.
>=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=
>
>----------------------
>Vendor Information:
>----------------------
>
>Homepage : http://www.microsoft.com
>Vendor : informed
>Mailed advisory: 23/10/03
>Vender Response : None yet
>
>
>----------------------
>Affected Versions:
>----------------------
>
>All version of IE 6
>Possibly 5.x too
>
>
>----------------------
>Description:
>----------------------
>
>Microsoft Internet Explorer does not allow local file access by a remote host by default.
>By creating an iframe which points on a specially crafted cgi script (using the location header
>to confuse IE), it is possible to cause IE to execute any local file through the iframe with local
>zone restrictions. This then allows remote arbitrary file execution on the victim without having
>the victim do a thing except load the page.
>Opera seems to not only be affected by this vulnerability, but it also allows direct
>local file access through iframes without any cgi scripts. Unlike IE where it is possible
>to set activex objects to execute arbitrary files, in Opera it is not. There may be a way,
>but I am currently not aware of any.
>
>
>----------------------
>Exploit:
>----------------------
>
>I have created a proof of concept page, but I did not show or explain how the cgi scripts
>nor the flash file work exactly to prevent kiddie abuse.
>
>For IE: http://www.mlsecurity.com/ie/ie.htm
>
>For Opera: <iframe name="abc" src="file:///C:/"></iframe>
>
>----------------------
>Solution:
>----------------------
>
>Check Microsoft's website frequently until a new patch comes out.
>
>----------------------
>Contact:
>----------------------
>
>- Mindwarper
>- mindwarper (at) linuxmail (dot) org [email concealed]
>- http://mlsecurity.com
>
>--
>______________________________________________
>Check out the latest SMS services @ http://www.linuxmail.org
>This allows you to send and receive SMS through your mailbox.
>
>
>Powered by Outblaze
>
[ reply ]