Reported June 17, 2003, by GreyMagic Security Research.

 

 

VERSIONS AFFECTED

 

·Microsoft Internet Explorer (IE) 6.0, 5.5, and 5.01

 

 

DESCRIPTION

 

Two new vulnerabilities in Microsoft IE can result in the execution of arbitrary code on the vulnerable system. These two vulnerabilities consist of the following:

 

· A cross site scripting vulnerability results from IE not filtering a displayed URL properly and might cause the browser to render HTML passed in the querystring of the URL.

· A script-injection vulnerability results from a flaw in a common function that internal resources use. An attacker can exploit this flaw to execute script commands in the My Computer zone.

 

For detailed information about these vulnerabilities, see the discoverer’s web site.

 

DEMONSTRATION

The discoverer posted the following demonstrations as proof of concept:

Cross-Site Scripting in Unparsable XML Files

This sample shows the basic URL for injecting content:

http://host.with.unparsable.xml.file/flaw.xml?<script>alert(document.cookie)</script>

Script Injection to Custom HTTP Errors in Local Zone:

This URL will cause the resource to output a "javascript:" link to the document, which will execute when the user clicks on it:

res://shdoclc.dll/HTTP_501.htm#javascript:%2f*://*%2falert(location.href)/

Copy and paste the above URL in your browser, then click the red link in order to test it.

VENDOR RESPONSE

 

Microsoft was notified on February 20, 2003, but hasn't released a fix for these problems.

 

CREDIT

Discovered by Grey Magic Security Research.