|
|
| |
|
|
| |
|
|
| |
|
.:::.who's online.:::.
|
|
There are currently, 1 guest(s) and 0 member(s) that are online.
|
|
|
|
|
Additional Details Released on the Zone Spoofing Vulnerability
posted by: valvoline on 15/10/2001 @ 22.45.40
|
Summary:
Microsoft Internet Explorer security is dependant on different `security zones`. These zones (Local Intranet zone and Internet zone) can have different security settings in regards to scripting and ActiveX execution. A lot of individuals and companies (including Microsoft) are depending on these zones to allow custom written ActiveX controls (unsigned and unsafe for scripting) to run on their internal intranet or network. A flaw has been discovered in Internet Explorer that can bypass these zones and `fool` the browser into believing an Internet site resides in the local intranet zone. This has as result that malicious website owners could potentially operate (and execute malicious code) in the users local intranet zone by luring surfers to their site with specially crafted URL`s.
In order for this Flaw to be dangerous, the user would have to have lower security settings in the intranet zone then in the Internet zone.
Vulnerable systems:
Microsoft Internet Explorer 4.x
Microsoft Internet Explorer 5.x
Example:
An option in a basic authenticated site is to pass on a username (and/or password) in the URL like this:
http://mike@msdn.microsoft.com
Another possibility is to convert an IP address into a dotless IP address; such an address is also called a DWORD address (some proxy servers, routers or web servers do not allow this).
http://msdn.microsoft.com - IP: 207.46.239.122
Convert this IP address to a DWORD address:
207 * 16777216 = 3472883712
46 * 65536 = 3014656
239 * 256 = 61184
122 * 1 = 122
------------------------------------------------ +
= 3475959674
This DWORD address can be used to visit the site like:
http://3475959674
If we combine the URL login option with the DWORD IP address, we will get the following URL:
http://mike@3475959674
The browser still thinks we are in the internet zone as expected.
Now we change the @ sign to its ASCII equivalent (%40):
------------------------
http://mike%403475959674
------------------------
Using this link, the browser thinks the Internet site we are in is the local intranet zone.
Solution:
An official Microsoft patch that will fix this can be found at the following address:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-051.asp
|
comments: (0)
|
|
|
|
|
|
|
| | |
|
|
| |
|
.:::.Login.:::.
|
|
Don't have an account yet? You can create one. As registered user you have some advantages like, comments configuration and post comments with your name. |
|
| |
|
|
|
