Vulnerability Note VU#923508

Microsoft Internet Explorer 6 contains a cross-domain vulnerability

Microsoft Internet Explorer 6 is vulnerable to a cross-domain scripting violation, which can allow a remote, unauthenticated attacker to access the content of a web page in a different domain.

IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Internet Security Manager Object determines in which zone or domain a URL exists and what actions can be performed. From Microsoft Security Bulletin MS03-048:

One of the principal security functions of a browser is to ensure that browser windows that are under the control of different Web sites cannot interfere with each other or access each other's data, while allowing windows from the same site to interact with each other. To differentiate between cooperative and uncooperative browser windows, the concept of a "domain" has been created. A domain is a security boundary - any open windows within the same domain can interact with each other, but windows from different domains cannot. The cross-domain security model is the part of the security architecture that keeps windows from different domains from interfering with each other.

Internet Explorer 6 fails to properly enforce the cross-domain security model when a page location is modified through use of an object, rather than a string.

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker may be able to obtain access to web content in another domain. The impact is similar to that of a cross-site scripting vulnerability. For a more detailed description of the impact of cross-site scripting vulnerabilities, please see CERT Advisory CA-2000-02.

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

Apply an update



This vulnerability does not appear to affect Internet Explorer 7. Therefore, updating to Internet Explorer 7 may mitigate this vulnerability.



Disable Active Scripting



This vulnerability can be mitigated by disabling Active Scripting, as specified in the "Securing Your Web Browser" document.

Systems Affected

http://www.cert.org/advisories/CA-2000-02.html

This vulnerability was publicly disclosed by rayh4c.

This document was written by Will Dormann.

Vulnerability Note VU#305208

Caucho Resin vulnerable to XSS via "file" parameter to "viewfile"

The "viewfile" command provided by Caucho Resin contains a cross-site scripting (XSS) vulnerability in the "file" parameter.

Caucho Resin is a Java-based application server. The "viewfile" command that is provided with the Resin documentation is vulnerable to XSS via the "file" parameter.

A remote, unauthenticated attacker may be able to execute arbitrary script within the context of the Resin web pages.

Apply an update

This issue is resolved in Resin 3.0.25 and 3.1.4. Note that the vendor does not recommend including the Resin documentation on production web servers, which would prevent the vulnerable command from being exposed.

http://www.caucho.com/

http://www.caucho.com/resin/changes/changes-31.xtp#3.1.4%20-%20Dec%205,%202007

Credit

Thanks to Tomasz Kuczynski for reporting this vulnerability.

This document was written by Will Dormann.

Vulnerability Note VU#705529

Apple Safari WebKit fails to properly handle a crafted URL

A vulnerability in the way Apple Mac OS X handles specially crafted URLs may allow an attacker to execute script in the context of another site..

According to Apple Safari 3.1.1:

An issue exists in WebKit's handling of URLs containing a colon character in the host name. Opening a maliciously crafted URL may lead to a cross-site scripting attack. This update addresses the issue through improved handling of URLs.

This vulnerability may allow an attacker to execute script in the context of another site.

Apply Apple Updates

Apple has released an update to address this vulnerability. Refer to Apple Safari 3.1.1.

http://support.apple.com/kb/HT1467

Credit

This issue is adressed in Apple Safari 3.1.1. Apple credits Robert Swiecki of the Google Security Team, and David Bloom for reporting this issue.

This document was written by Chris Taschner.

Vulnerability Note VU#466521

Mozilla JavaScript privilege escalation

Mozilla products contain multiple vulnerabilities that may allow a remote, unauthenticated attacker to execute arbitrary code.

Mozilla Firefox, Thunderbird, and SeaMonkey do not properly handle JavaScript, which may allow privilege escalation and execution of arbitrary code on an affected system.

Successful exploitation of this vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Apply an update

Mozilla Foundation has issued new versions of the affected products which address these vulnerabilities. Please see MFSA 2008-14 for more details.

Workaround

Disabling JavaScript is an effective workaround for these vulnerabilities. It is strongly recommended that you disable JavaScript until a version containing patches for these vulnerabilities can be installed.

http://www.mozilla.org/security/announce/2008/mfsa2008-14.html

Credit

This document was written by Joseph Pruszynski.

Vulnerability Note VU#766019

Apple Safari vulnerable to xss via the processing of JavaScript URLs

A vulnerability in the way Apple Safari handles JavaScript URLs may allow execution of JavaScript in the context of another site.

Apple Safari contains a vulnerability that may cause a cross-site script injection when processing JavaScript URLs. According to Apple Security Advisory APPLE-SA-2008-03-18:

A cross-site scripting issue exists in the processing of javascript: URLs. Enticing a user to visit a maliciously crafted web page could allow the execution of JavaScript in the context of another site. This update addresses the issue by performing additional validation of javascript: URLs.

This vulnerability may allow an attacker to execute JavaScript in the context of another site.

Apply an update

This issue is addressed in Apple Safari 3.1.

http://docs.info.apple.com/article.html?artnum=307563

Credit

This vulnerability was reported in Apple Security Advisory APPLE-SA-2008-03-18. Apple credits Robert Swiecki of Google Information Security Team for reporting this issue.

This document was written by Chris Taschner.