April 17 Alert: IE Cross-Site Scripting
Results 1 to 2 of 2

Thread: April 17 Alert: IE Cross-Site Scripting

  1. #1
    Senior Member
    Join Date
    Jan 2002

    Exclamation April 17 Alert: IE Cross-Site Scripting




    April 17, 2002


    Bugtraq posts yesterday and today from unrelated security
    researchers describe flaws in Internet Explorer (IE) versions 5,
    5.5, and 6 that allow Cross-Site Scripting (CSS) attacks. A hacker
    could exploit this flaw to execute code on your machine, run scripts
    within the My Computer zone, or hijack your MSN Messenger client.
    There is no direct impact on WatchGuard products. Administrators
    using IE 5.x or 6 in their network should evaluate following the
    workaround below until a patch is available.


    Internet Explorer includes some methods that Web sites can use to
    open dialog windows. Once a dialog window is open, the Web site can
    pass objects between its page and the dialog window. To make this
    feature more secure, IE performs a validation and only allows Web
    sites to interact with dialog windows that are in the same domain
    and using the same port or protocol as the original page. If a Web
    site opens a dialog window to a third party site, IE should prevent
    any interaction between the two.

    However, in his advisory <http://jscript.dk/adv/TL002/>, Thor
    Larholm explains that "unfortunately, the validation code only
    checks the original URL instead of the final URL." Bear in mind that
    a dialog box is simply more HTML code, so from IE's viewpoint it is
    another Web page. To execute the attack, a hacker would craft
    malicious HTML code (which could be on a Web site, or sent as an
    HTML e-mail to the victim). When clicked on, the HTML would open a
    specially-crafted dialog box in the proper domain to pass IE's URL
    validation check. But further code in the dialog box could then
    redirect the victim from the originating site to the desired dialog
    page, fooling IE's dialog security measure. With this security
    measure out of the way, the hacker is free to pass information back
    and forth between any site in the dialog box, and his own site.

    This would be bad enough on its own (for example, using this
    technique an attacker could redirect you to an e-trading site and
    see what you do). But Larholm also discovered that some of the
    default error pages that ship with IE 6 are susceptible to this
    vulnerability. By applying this Cross-Site Scripting attack
    to these default error pages, a hacker could run scripts in IE's My
    Computer zone (less restricted), hijack your MSN Messenger client,
    or run any program on your machine.

    In Larholm's original advisory, IE6 was the only version of IE
    susceptible to this Cross-Site Scripting attack. However, GreyMagic
    quickly followed with an advisory <http://sec.greymagic.com/adv/gm001-ax/>
    confirming Larholm's findings and describing a component that ships
    with IE5 and 5.5 which is also vulnerable to this Cross-Site
    Scripting attack. In short, IE 5, 5.5 and 6 are all susceptible.


    Microsoft has not released a patch yet. However, according to
    Larholm, IE users can prevent this attack by disabling scripting in
    IE. To do this, click on Tools => Internet Options => Security tab
    in IE. Highlight the Internet zone and click the Custom Level
    button. Scroll down till you find "Active Scripting" and check
    Disable. Finally, click on OK twice. Keep in mind, many Web sites
    and HTML based applications might require Active Scripting for
    normal usage. Disabling Active Scripting could prevent safe sites
    from working properly.
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  2. #2
    Junior Member
    Join Date
    Nov 2001
    Thanks Zigar, I happen to be working in a business where the system admins are idiots at best when it comes to security. I'll bring this up at the next meeting.
    If you don\'t tell me what I want to know, in 5 minutes I\'ll be the only person left standing at this table...5 minutes after that, I\'ll be the only person left standing in this room.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts