Microsoft Internet Explorer 5.0.1 - Invalid Byte Cross-Frame Access

EDB-ID:

19156




Platform:

Windows

Date:

1999-01-28


source: https://www.securityfocus.com/bid/197/info

On January 28, 1999, Georgi Guninski originally reported a vulnerability in Internet Explorer 4.x. Internet Explorer 4.x's implentation of Cross-frame security could be bypassed if "%01" is appended to an arbitrary URL. If the specially malformed URL is inserted in a javascript after an 'about:' statement, arbitrary code can be executed on the target host. Successful exploitation could lead to access to local files, window spoofing, and arbitrary code execution.

On October 6, 2000, Alp Sinan discovered that a variation of this vulnerability exists in Microsoft Internet Explorer 5.5. Instead of using "%01", the ASCII equivalents of "^A" or "&#01" can be used instead. 

Georgi Guninski <guninski@guninski.com> has set up the following demonstration pages:

Exploit through HTML mail message:

http://www.guninski.com/scriptlet.html

http://www.guninski.com/scrspoof.html

Exploit through TDC:

http://www.guninski.com/scrauto.html

Alp Sinan <alp@uk2.net> has set up the following demonstration pages:

Reading of local files:
http://horoznet.com/AlpSinan/localread.htm

Window spoofing:
http://horoznet.com/AlpSinan/webspoof.htm

Cross-frame security circumvention
http://horoznet.com/AlpSinan/crossframe.htm