SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Browser)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
Microsoft Internet Explorer URL Decoding Inconsistency May Result in a Web Page Loading in the Incorrect Security Domain
SecurityTracker Alert ID:  1005182
SecurityTracker URL:  http://securitytracker.com/id/1005182
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 5 2002
Impact:   Execution of arbitrary code via network, Modification of system information
Exploit Included:  Yes  
Version(s): 6
Description:   A vulnerability was reported in Microsoft Internet Explorer (IE). A remote user can create a URL that, when loaded by the target user, will cause arbitrary scripting code to be executed in the security domain of a different web site.

It is reported that IE version 6 does not consistently interpret encoded URLs when determining the security domain and loading the page. The browser reportedly will decode an encoded URL string (e.g., '%2F') when determining the appropriate security domain but will not decode the string when loading a web page. As a result, a remote user can create a URL that will load a web page in one security domain but will interpret the page as belonging to another security domain.

For example, the following URL will cause IE to load the web page from 'domain2' but process the page in the security context of 'domain1':

http://[domain1]%25%32%46%40[domain2]/
Impact:   A remote user can create a URL that, when loaded by the target user, will be loaded in the incorrect security domain.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:   Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Microsoft Issues Fix) Microsoft Internet Explorer URL Decoding Inconsistency May Result in a Web Page Loading in the Incorrect Security Domain   (secnotif@microsoft.com)
Microsoft has released a fix.


 Source Message Contents
Date:  3 Sep 2002 12:49:20 -0000
Subject:  MSIEv6 % encoding causes a problem again




it's about cross-site scripting at MSIEv6 client side using % encoding, 
but not the same as the one by PeaceFire.org which doesn't work on my PC.

[tested]MSIEv6(CN version)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000} 

[demo]
at 
http://www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-MyPage.htm
or 
clik.to/liudieyu ==> 2FforMSIE-MyPage section.

[exp]
%?? in URL is decoded when IE caculates the domain, but not decoded while 
downloading a page.
so
[CODE.URL]http://www.yahoo.com%2F@clik.to/liudieyu
(	2F=hex$(asc('/'))	)
leads to clik.to/liudieyu instead of www.yahoo.com, and the domain of it 
www.yahoo.com for IE

Very simple, that's all.

[contact]
liudieyuinchina@yahoo.com.cn


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC