Microsoft Outlook Express/Windows Mail MHTML URI处理器 信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110148 漏洞类型 信息泄露
发布时间 2006-04-27 更新时间 2007-06-14
CVE编号 CVE-2006-2111 CNNVD-ID CNNVD-200605-018
漏洞平台 Windows CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/27745
https://www.securityfocus.com/bid/17717
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-018
|漏洞详情
OutlookExpress和WindowsMail都是Windows操作系统中所捆绑的邮件客户端。由于MHTML协议处理程序不正确地解释可能绕过InternetExplorer域限制的MHTMLURL重新定向,导致Windows中存在一个信息泄露漏洞。攻击者可以通过构建特制的网页来利用该漏洞。如果用户使用InternetExplorer查看网页,该漏洞可能允许信息泄露。成功利用此漏洞的攻击者可以读取另一个InternetExplorer域中的数据。
|漏洞EXP
source: http://www.securityfocus.com/bid/17717/info

Outlook Express and Windows Mail are prone to a cross-domain information-disclosure vulnerability.

This vulnerability may let a malicious website access properties of a site in an arbitrary external domain in the context of the victim user's browser. Attackers could exploit this issue to gain access to sensitive information (such as cookies or passwords) that is associated with the external domain.

This issue was previously reported as an Internet Explorer vulnerability, but the affected component is found to be part of Outlook Express and Windows Mail. Microsoft confirmed that this is an Outlook Express/Windows Mail vulnerability that can also be exploited through Internet Explorer.

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/27745.zip
|受影响的产品
Microsoft Windows Mail 0 + Microsoft Windows Vista 0 + Microsoft Windows Vista x64 Edition 0 Microsoft Outlook Express 6.0 SP2
|参考资料

来源:US-CERT
名称:TA07-163A
链接:http://www.us-cert.gov/cas/techalerts/TA07-163A.html
来源:US-CERT
名称:VU#783761
链接:http://www.kb.cert.org/vuls/id/783761
来源:XF
名称:ie-mhtml-information-disclosure(26281)
链接:http://xforce.iss.net/xforce/xfdb/26281
来源:BID
名称:17717
链接:http://www.securityfocus.com/bid/17717
来源:HP
名称:HPSBST02231
链接:http://www.securityfocus.com/archive/1/archive/1/471947/100/0/threaded
来源:BUGTRAQ
名称:20061025IE7status:8daysafterrelease,3unfixedissues
链接:http://www.securityfocus.com/archive/1/archive/1/449917/100/0/threaded
来源:BUGTRAQ
名称:20061026IE7isaSourceofProblem-SecuniaIE7ReleaseIncidentofOctober2006
链接:http://www.securityfocus.com/archive/1/archive/1/449883/100/200/threaded
来源:OSVDB
名称:25073
链接:http://www.osvdb.org/25073
来源:MS
名称:MS07-034
链接:http://www.microsoft.com/technet/security/bulletin/ms07-034.mspx
来源:VUPEN
名称:ADV-2007-2154
链接:http://www.frsirt.com/english/advisories/2007/2154
来源:VUPEN
名称:ADV-2006-1558
链接:http://www.frsirt.com/english/advisories/2006/1558
来源:SECTRACK
名称:101