Microsoft Internet Explorer Lets Remote Users Access XML Documents

SecurityTracker Alert ID: 1011563
SecurityTracker URL: http://securitytracker.com/id?1011563
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Oct 7 2004
Impact: Disclosure of system information, Disclosure of user
information, Host/resource access via network
Exploit Included: Yes
Advisory: Georgi Guninski
Description: A vulnerability was reported in Microsoft Internet
Explorer. A remote user can access XML documents that are accessible
to the target user.

Georgi Guninski reported that a remote user can create HTML code that,
when loaded by the target user, will retrieve XML data from arbitrary
servers and forward that information to the remote user.

This can be achieved by javascript that loads the target XML document
and then an 'xml' script that invokes a redirect script on a remote
web site to redirect the current document to a remote site.

The original advisory, including some demonstration exploit HTML code
is available at:

http://www.guninski.com/where_do_yo...day_1.html
Impact: A remote user can access XML documents that are accessible to
the target user.
Solution: No solution was available at the time of this entry.

[Editor's note: Disabling scripting will prevent the exploit presented
in the advisory.]
Vendor URL: www.microsoft.com/ (Links to External Site)
Cause: Access control error, State error
Underlying OS: Windows (Any)
Underlying OS Comments: Tested on Windows 2000 and Windows XP
Reported By: Georgi Guninski <guninski@guninski.com>
Message History: None.

Source Message Contents
Date: Thu, 7 Oct 2004 10:45:21 +0300
From: Georgi Guninski <guninski@guninski.com>
Subject: Yet another IE aperture



Georgi Guninski security advisory #71, 2004

Yet another IE aperture

Systems affected:
tested on patched IE on win2k and xp

Date: 7 October 2004

Legal Notice:
This Advisory is Copyright (c) 2004 Georgi Guninski.
You may not modify it and distribute it or distribute
parts
of it without the author's written permission - this especially
applies to
so called "vulnerabilities databases" and securityfocus, microsoft,
cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/where_do_yo...day_1.html
Anything in this document may change without notice.

Disclaimer:
The information in this advisory is believed to be true
though
it may be false.
The opinions expressed in this advisory and program are my own
and
not of any company. The usual standard disclaimer
applies,
especially the fact that Georgi Guninski is not liable for any
damages
caused by direct or indirect use of the information or
functionality
provided by this advisory or program. Georgi Guninski
bears no
responsibility for content or misuse of this advisory or
program or
any derivatives thereof.

Description:

By opening html in IE it is possible to read at least well formed xml
from
arbitrary servers. The info then may be transmitted.

Details:

Consider this:


<html>
<script>
function f()
{
alert(document.all.x1.XMLDocument.xml);
}
</script>

<body onload="f()">
<script id="x1" language="xml" src="/cgi-bin/redir.pl"></scr
ipt>
<h1>
Copyright Georgi Guninski <br />
Cannot be used in any database
</h1>
</body>
</html>


redir.pl does a http redirect.


Georgi Guninski
http://www.guninski.com






Go to the Top of This SecurityTracker Archive Page




Home | View Topics | Search | Contact Us | Help

Copyright 2004, SecurityGlobal.net LLC
http://www.securitytracker.com/aler...11563.html