[原文]Internet Explorer 5.5 and 5.01 allows remote attackers to bypass security restrictions via malformed URLs that contain dotless IP addresses, which causes Internet Explorer to process the page in the Intranet Zone, which may have fewer security restrictions, aka the "Zone Spoofing vulnerability."
Microsoft Internet Explorer contains a security-setting feature that can be modified according to a user's preferences. These settings control what actions a web site can take on a user's system.
A vulnerability exists in Internet Explorer, which could allow a web site to be viewed in the Local Intranet Zone, rather than the Internet Zone. Thus, allowing content to be viewed with less-restrictive security settings.
Converting the IP address of the target web site into a dotless IP address, and submitting it, will cause Internet Explorer to view the web site in the Local Intranet zone.
* Microsoft Security Bulletin MS01-055 states that there is a new variant of this issue, although no technical details have been provided. A cumulative patch has been released and IE 5.5 users are encouraged to install it.
An option in a basic authenticated site is to pass on a username (and/or
password) in the URL like this:
Another possibility is to convert an IP address into a dotless IP address;
such an address is also called a DWORD address (some proxy servers, routers
or web servers do not allow this).
http://msdn.microsoft.com - IP: 126.96.36.199
Convert this IP address to a DWORD address:
207 * 16777216 = 3472883712
46 * 65536 = 3014656
239 * 256 = 61184
122 * 1 = 122
This DWORD address can be used to visit the site like:
If we combine the URL login option with the DWORD IP address we'll get the
The browser still thinks we are in the internet zone as expected.
Now we change the @ sign to its ASCII equivalent (%40):
Microsoft Internet Explorer contains a flaw related to the way dotless IP addresses are classified with respect to their security zone. This flaw may allow an attacker to have Internet Explorer interpret a site of the Internet security zone as a site of the Intranet security zone and therefore execute in a context of lower security.
Microsoft has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s):
increase the security settings of the Intranet security zone to match the security settings of the Internet security zone.