MS IE 5.01 JSObject Cross-Frame Vulnerability
BID:1121
Info
MS IE 5.01 JSObject Cross-Frame Vulnerability
| Bugtraq ID: | 1121 |
| Class: | Access Validation Error |
| CVE: |
CVE-2000-0266 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Apr 19 2000 12:00AM |
| Updated: | Jul 11 2009 01:56AM |
| Credit: | Posted to Bugtraq on April 18, 2000 by Georgi Guninski <[email protected]>. |
| Vulnerable: |
Microsoft Internet Explorer for Unix 5.0 Microsoft Internet Explorer 5.0.1 |
| Not Vulnerable: | |
Discussion
MS IE 5.01 JSObject Cross-Frame Vulnerability
The cross-frame security model of Internet Explorer 5.01 can be circumvented through the use of a Java applet. If the applet is passed a parameter containing javascript code in the form of a 'javascript:' URL, the setMember method of the JSObject class can be used to change the 'href' of the DOM (Document Object Model) of another frame or window to that URL. The browser will then execute the javascript in the security context of the original contents of the other window or frame.
The cross-frame security model of Internet Explorer 5.01 can be circumvented through the use of a Java applet. If the applet is passed a parameter containing javascript code in the form of a 'javascript:' URL, the setMember method of the JSObject class can be used to change the 'href' of the DOM (Document Object Model) of another frame or window to that URL. The browser will then execute the javascript in the security context of the original contents of the other window or frame.
Exploit / POC
MS IE 5.01 JSObject Cross-Frame Vulnerability
Georgi Guninski <[email protected]> has set up the following vulnerability demonstration page:
http://www.nat.bg/~joro/jsinject.html
Also, Hiromitsu Takagi <[email protected]> has modified the above demonstration to show that this can be exploited withour relying on scripting of Java applets. It is available at:
http://java-house.etl.go.jp/~takagi/java/test/Guninski-jsinject-modified/
Georgi Guninski <[email protected]> has set up the following vulnerability demonstration page:
http://www.nat.bg/~joro/jsinject.html
Also, Hiromitsu Takagi <[email protected]> has modified the above demonstration to show that this can be exploited withour relying on scripting of Java applets. It is available at:
http://java-house.etl.go.jp/~takagi/java/test/Guninski-jsinject-modified/
Solution / Fix
MS IE 5.01 JSObject Cross-Frame Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
MS IE 5.01 JSObject Cross-Frame Vulnerability
References:
References:
- Guninski-jsinject-modified (Hiromitsu Takagi)
- IE 5 Java/javascript vulnerability (Georgi Guninski)