发布时间 :2001-10-30 00:00:00
修订时间 :2016-10-17 22:11:39

[原文]Internet Explorer 5.5 and 5.01 allows remote attackers to bypass security restrictions via malformed URLs that contain dotless IP addresses, which causes Internet Explorer to process the page in the Intranet Zone, which may have fewer security restrictions, aka the "Zone Spoofing vulnerability."

[CNNVD]Microsoft Internet Explorer Zone欺骗漏洞(CNNVD-200110-123)

        Internet Explorer 5.5版本和5.01版本存在漏洞。远程攻击者可以借助含不带电IP地址的畸形URL绕过安全限制,该漏洞导致Internet Explorer处理Intranet Zone中的页面,并且可能有较少的安全限制,也称为"Zone Spoofing vulnerability"。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:ie:5.01Microsoft Internet Explorer 5.01
cpe:/a:microsoft:ie:5.5Microsoft ie 5.5

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20011011 Serious security Flaw in Microsoft Internet Explorer - Zone Spoofing
(UNKNOWN)  BID  3420
(UNKNOWN)  XF  ie-incorrect-security-zone(7258)

- 漏洞信息

Microsoft Internet Explorer Zone欺骗漏洞
高危 输入验证
2001-10-30 00:00:00 2005-10-12 00:00:00
        Internet Explorer 5.5版本和5.01版本存在漏洞。远程攻击者可以借助含不带电IP地址的畸形URL绕过安全限制,该漏洞导致Internet Explorer处理Intranet Zone中的页面,并且可能有较少的安全限制,也称为"Zone Spoofing vulnerability"。

- 公告与补丁

        Microsoft has released the following patches which rectify this issue. It should be noted that users with IE 5.5 and 5.01 require SP2 before installing the patch.
        Microsoft Internet Explorer 5.0.1 SP2
        Microsoft Internet Explorer 5.5 SP2

- 漏洞信息 (21118)

Microsoft Internet Explorer 5 Zone Spoofing Vulnerability (EDBID:21118)
windows remote
2001-10-10 Verified
0 kikkert security
N/A [点击下载]

Microsoft Internet Explorer contains a security-setting feature that can be modified according to a user's preferences. These settings control what actions a web site can take on a user's system.

A vulnerability exists in Internet Explorer, which could allow a web site to be viewed in the Local Intranet Zone, rather than the Internet Zone. Thus, allowing content to be viewed with less-restrictive security settings.

Converting the IP address of the target web site into a dotless IP address, and submitting it, will cause Internet Explorer to view the web site in the Local Intranet zone.

* Microsoft Security Bulletin MS01-055 states that there is a new variant of this issue, although no technical details have been provided. A cumulative patch has been released and IE 5.5 users are encouraged to install it. 


An option in a basic authenticated site is to pass on a username (and/or
password) in the URL like this:

Another possibility is to convert an IP address into a dotless IP address;
such an address is also called a DWORD address (some proxy servers, routers
or web servers do not allow this). - IP:

Convert this IP address to a DWORD address:

207 * 16777216 = 3472883712
46 * 65536 = 3014656
239 * 256 = 61184
122 * 1 = 122
------------------------------------------------ +
= 3475959674

This DWORD address can be used to visit the site like:

If we combine the URL login option with the DWORD IP address we'll get the
following URL:


The browser still thinks we are in the internet zone as expected.

Now we change the @ sign to its ASCII equivalent (%40):


- 漏洞信息

Microsoft IE Dotless IP Zone Spoofing Weakness
Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Microsoft Internet Explorer contains a flaw related to the way dotless IP addresses are classified with respect to their security zone. This flaw may allow an attacker to have Internet Explorer interpret a site of the Internet security zone as a site of the Intranet security zone and therefore execute in a context of lower security.

- 时间线

2001-10-10 Unknow
2011-10-10 Unknow

- 解决方案

Microsoft has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s): increase the security settings of the Intranet security zone to match the security settings of the Internet security zone.

- 相关参考

- 漏洞作者