Cross-Frame, About Pluggable Protocol, Security Zone Spoofing

[the Pull <osioniusx () yahoo com>]

Cross-Frame, About Pluggable Protocol, Security Zone
Spoofing

Class: Failure to Handle Exceptional Conditions
Remote: Yes
Local: Yes
Found: November 27,2001
Severity: Mild
Vulnerable: IE 6.0.2600.0000
+ Windows 2000 Update Versions: Q312461
IE 5.50.4134.0100 Update Versions: q269368
+ Windows ME



Discussion: By appending merely a percent sign after
an about url which has opened in a window you can
access some elements of the previous document's
document object model. What this means is that you can
run script in the security context of "My Computer" or
"Trust Sites" and can embed iframes (text/x-scriptlet
objects) from varying domains and protocols while the
Security Zone still reads "My Computer" or "Trusted
Sites". The limitations in this exploit are from the
about pluggable protocols security restrictions and
security restrictions on embedded objects within this
protocol (if you have the latest patches). 

Exploits: http://www.osioniusx.com

"trustedSites.html" - Opens an about page in a trusted
zone and navigates to a javascript url while remaining
in the Trusted Zone.
"Domains.html" - Opens two remote sites up in iframes
while remaining in the My Computer Zone (instead of
mixed). You could just as well open up .hta, .vbs,
even .bat files in this manner. 
"MyComputer.html" - Opens about page in My Computer
zone and navigates to a javascript url.


Potential Solution: Minor fix on about pluggable
protocol. Note: Word needs to get out all users that
they need to update their browsers to the latest fixes
at all times. I would like to see this automated in
future versions of IE. 

Vendor Status: Emailed to "Secure () microsoft com". 


 

 


__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com