发布时间 :2001-10-30 00:00:00
修订时间 :2017-10-09 21:29:49

[原文]Internet Explorer 6 and earlier allows remote attackers to cause certain HTTP requests to be automatically executed and appear to come from the user, which could allow attackers to gain privileges or execute operations within web-based services, aka the "HTTP Request Encoding vulnerability."

[CNNVD]Microsoft Internet Explorer HTTP请求编码漏洞(CNNVD-200110-140)

        Internet Explorer 6版本和之前版本存在漏洞。远程攻击者可以导致某些HTTP请求被自动执行并且似乎来自于用户,攻击者还可以借助该漏洞在基于网络的服务内提升特权或执行操作,也称为"HTTP Request Encoding vulnerability"。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  3421
(UNKNOWN)  XF  ie-url-http-requests(7259)

- 漏洞信息

Microsoft Internet Explorer HTTP请求编码漏洞
高危 输入验证
2001-10-30 00:00:00 2005-10-12 00:00:00
        Internet Explorer 6版本和之前版本存在漏洞。远程攻击者可以导致某些HTTP请求被自动执行并且似乎来自于用户,攻击者还可以借助该漏洞在基于网络的服务内提升特权或执行操作,也称为"HTTP Request Encoding vulnerability"。

- 公告与补丁

        Microsoft has released a patch which addresses this issue:
        **Note that in order to apply the patches for IE5.01 and IE5.5 you must have Internet Explorer Service Pack 2 installed for each product.
        Microsoft Internet Explorer 5.0.1 SP2
        Microsoft Internet Explorer 5.5 SP2
        Microsoft Internet Explorer 6.0

- 漏洞信息

Microsoft IE HTTP Request Encoding
Remote / Network Access
Loss of Confidentiality, Loss of Integrity

- 漏洞描述

Microsoft Internet Explorer contains a flaw that may allow a malicious user to automatically execute HTTP requests on behalf of the victim. The issue is triggered when the attacker encodes URLs in a specific way and the victim views HTML crafted by the attacker. It is possible that the flaw may allow the attacker to take control of the victim's web-based applications, such as web-based email and online banking.

- 时间线

2001-10-10 Unknow
2001-10-10 Unknow

- 解决方案

Apply the Q306121 hotfix, as it has been reported to fix this vulnerability. The fix for this flaw is also included in IE 5.01 Service Pack 3, IE 5.5 Service Pack 3, and IE 6 Service Pack 1. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者